Yesterday, the security engineers at Netflix reported several TCP networking vulnerabilities in FreeBSD and Linux kernels. Out of these vulnerabilities, the most serious one is called “SACK Panic” that allows a remote attacker to trigger a kernel panic on recent Linux kernels.
Netflix security engineers found four vulnerabilities in total. These were specifically related to the maximum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. MSS is a parameter in the TCP header of a packet that specifies the total amount of data a computer can receive in a single TCP segment. SACK is a mechanism that enables the data receiver to inform the sender about all the segments that have arrived successfully.
Soon after, Red Hat also listed the vulnerabilities, background, and patches on their website and credited Netflix for reporting them. According to Red Hat, the extent of the impact of these vulnerabilities is limited to denial of service. “No privilege escalation or information leak is currently suspected,” Red Hat wrote in its post.
Following are the vulnerabilities that were reported:
Sack Panic is the most severe vulnerability of all, that can be exploited by an attacker to induce an integer overflow by sending a crafted sequence of SACKs on a TCP connection with small MSS value. This can lead to a kernel panic that makes it difficult for the operating system to recover back to its normal state. This forces a restart and hence causes a denial of service attack.
This vulnerability was found in Linux 2.6.29 or later versions.
The TCP retransmission queue in Linux kernels and the Rack send map in FreeBSD can be fragmented by sending a crafted sequence of SACKs. The attacker will then be able to exploit this fragmented queue to cause “an expensive linked-list walk for subsequent SACKs received” for that particular TCP connection.
This vulnerability was found in Linux 4.15 or previous versions and FreeBSD 12 using the RACK TCP Stack
A Linux kernel can be forced by an attacker to divide its responses into multiple TCP segments accommodating 8 bytes of data. Sending the same amount of data will now require more bandwidth and will also consume additional resources like CPU and NIC processing power.
This vulnerability was found in all Linux versions.
The Netflix team has also mentioned the patches and workaround against each vulnerability in the official report. Red Hat has recommended two options to mitigate the CVE-2019-11477 and CVE-2019-11478 vulnerabilities:
Red Hat will be making a ‘kpatch’ available for customers running supported versions of Red Hat Enterprise Linux 7 or greater. Red Hat customers using the affected versions are recommended to update them as soon as Red Hat makes the errata available. Additionally, they have also provided an Ansible playbook, ‘disable_tcpsack_mitigate.yml’, which will disable selective acknowledgments and make the change permanent. More information about the mitigation steps is available on Red Hat’s official website.
NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems
Over 19 years of ANU(Australian National University) students’ and staff data breached
PyPI announces 2FA for securing Python package downloads