The vulnerabilities could be exploited by a remote unauthenticated attacker to trigger a denial-of-service (DoS) condition and reboot vulnerable systems.
Impacted products are AppDefense, Container Service Extension, Enterprise PKS, Horizon, Hybrid Cloud Extension, Identity Manager, Integrated OpenStack, NSX, Pulse Console, SD-WAN, Skyline Collector, Unified Access Gateway, vCenter Server Appliance, vCloud, vRealize and vSphere products.
In the middle of June, Jonathan Looney, a security expert at Netflix, found three
The security holes, discovered by a researcher working for Netflix, are related to the way the kernel handles TCP Selective Acknowledgement (SACK) packets with a low minimum segment size (MSS). They could impact many devices, including servers, Android smartphones, and embedded systems.
The expert found a total of three vulnerabilities tracked as SACK Panic (CVE-2019-11477), SACK Slowness (CVE-2019-11478, which also impacts FreeBSD), and CVE-2019-11479.
According to VMware, both SACK Panic and SACK Slowness impact tens of its products. The SACK Panic issue was rated as “important” severity and received a CVSS score of 7.5, while the SACK Slowness was rated as “moderate” severity with a CVSS score of 5.3.
“Several vulnerabilities in the Linux kernel implementation of TCP Selective Acknowledgement (SACK) have been disclosed. These issues may allow a malicious entity to execute a Denial of Service attack against affected products.” reads the security advisory published by VMware.
“A malicious actor must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance,”.
VMware is already working to address the issues in each of the impacted products. At the time of writing, the company issued security updates for SD-WAN software, Unified Access Gateway, and vCenter Server Appliance.
VMware also provided some workarounds to protect Virtual Appliances against potential attacks, the experts suggest either disabling SACK or modifying the built in firewall (if available) in the base OS of the product to drop incoming connections with a low MSS value.
VMware also suggested workarounds for the vCloud Director for Service Providers Appliance.