Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
Netflix researcher Jonathan Looney uncovered four critical vulnerabilities — CVE-2019-11477, CVE-2019-11478, CVE-2019-5599, and CVE-2019-11479 — within the TCP implementations on Linux and FreeBSD kernels. Specifically, the four vulnerabilities are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most concerning among the vulnerabilities discovered is CVE-2019-11477, called SACK Panic, as its abuse could allow an attacker to remotely trigger a kernel panic on recent Linux operating systems.
A published advisory from Netflix said that most of the vulnerabilities can be fixed via available patches, but workarounds can also do the trick if patches can’t be applied.
CVE-2019-11477: A vulnerability for inducing kernel panic
SACK Panic, arguably the most critical, impacts Linux kernels 2.6.29 versions and above. The vulnerability can be exploited via a sequence of SACKs that can be crafted to trigger an integer overflow, which then leads to a kernel panic.
Kernel panic is a fatal error from which the OS cannot quickly or easily recover. An OS in panic displays an error message on the computer screen and writes the kernel memory’s contents to the disk for later debugging. All CPU operation will then be halted.
CVE-2019-11478, CVE-2019-5599, and CVE-2019-11479
CVE-2019-11478, dubbed SACK Slowness, impacts Linux kernels 4.15 versions and below, and all versions to some extent as Excess Resource Usage. Attackers can exploit this vulnerability by sending a crafted sequence of SACKs, which then fragments the TCP retransmission queue. On versions before 4.15, further exploitation can be done to the fragmented queue to cause subsequent SACKs on that same TCP connection to go on an expensive linked-list walk — slowing the system down.
CVE-2019-5599 is another SACK Slowness vulnerability but for FreeBSD 12 installations that are using the RACK TCP Stack. By sending a crafted sequence of SACKs, an attacker can cause the RACK send map to be fragmented. It’s possible for an attacker to further exploit the fragmented send map through the same method for CVE-2019-11478 and with the same effect of system slowdown.
The last vulnerability, CVE-2019-11479, is tagged as Excess Resource Consumption Due to Low MSS Values, and it affects all Linux versions. With this vulnerability, the Linux kernel can be forced to segment its responses into multiple TCP segments, each containing only 8 bytes of data. This process can significantly increase the bandwidth required to deliver the same amount of data and consumes additional resources, i.e., CPU and NIC processing power. It’s worth noting that an attacker would need continuous effort for this attack; otherwise, the system recovers once the attacker stops sending traffic.
Patches and workarounds
The disclosure for the vulnerabilities came with details on how to fix them. Source-code level patches were already made available, along with workarounds, for example, disabling SACK processing functions.
At the time of writing, the following Linux vendors have already released advisories or discussed plans to release fixes:
To learn about the complete requirements and preconditions for mitigating the vulnerabilities, click here.
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.