Netflix Information Security’s Jonathan Looney has identified three Linux vulnerabilities, two related to “minimum segment size (MSS) and selective TCP (SACK) capabilities,” and one related only to MSS; the most serious of which is SACK Panic, which may panic and reboot affected systems. According to Red Hat, problems affecting the TCP kernel processing system are tracked by multiple CVE, with a significant gravity of 7.5 CVSS3 base score attributed to CVE-2019-11477 SACK Panic, while CVE-2019-11478 and CVE-2019-11479 are seen as moderate vulnerabilities. As detailed in a Netflix NFLX-2019-001 safety advisory, patching measures are available, including mitigation measures for machines where patching is not an immediate or easy option.
The security flaw of SACK panic
The SACK Panic (Debian, Red Hat, Ubuntu, Suse, AWS) vulnerability affects Linux kernel 2.6.29 and later. It can be taken advantage of by “sending a crafted sequence of SACK segments to the little value TCP MSS TCP connection” that will trigger an integer overflow. In order to resolve the problem, “Apply PATCH net 1 4.patch, and versions of and including 4.14 of the Linux kernel will require a second PATCH net 1a.patch patch,” the Netflix Information Security Advisory notes. To mitigate this problem, users and administrators can either completely delete SACK processing on the system (by setting /proc / sys / net / ipv4/tcp sack at 0) or block low MSS links using the Netflix Information Security HERE filters— the second mitigation measure will only work if the TCP testing is disabled.
More vulnerabilities to service denial
The other two vulnerabilities affect all Linux versions, with CVE-2019-11478 (referred to as SACK Slowness) being exploitable by sending ‘a crafted sequence of SACKs fragmenting the TCP retransmission queue,’ while CVE-2019-11479 allows attackers to trigger a DoS status by sending ‘crafted packets with low MSS values to trigger excessive resource use.’ CVE-2019-5599 is the FreeBSD counterpart of CVE-2019-11478, it affects FreeBSD 12 installations using the RACK TCP Stack and can be misused by delivering “a crafted sequence of SACKs fragmenting the RACK send map.” Admins and users of Linux and FreeBSD can fix the first by applying PATCH net 2 4.patch and the second by applying the security patches PATCH net 3 4.patch and PATCH net 4 4.patch. CVE-2019-5599 can be patched by applying “split limit.patch and setting a reasonable value to the net.inet.tcp.rack.split limit sysctl to limit the SACK table size.” As workarounds, it is possible to mitigate both CVE-2019-11478 and CVE-2019-11479 by blocking remote network connections with a low MSS with Netflix Information Security-supplied filters available HERE— applying the filters could subsequently break legitimate MMS connections. You can mitigate the FreeBSD flaw by simply switching off the RACK TCP stack. “The extent of the impact at this time is understood to be limited to denying service. There is currently no suspicion of privilege escalation or information leakage,” says Red Hat. “Good system and application coding and configuration practices (limiting write buffers to the required level, monitoring connection memory consumption via SO MEMINFO and aggressively closing misbehaving connections) can help limit the impact of attacks on vulnerabilities of this kind,” Netflix Information Security notes in its advisory.