A number of Linux and FreeBSD servers and systems are vulnerable to a denial of service vulnerability dubbed SACK Panic, as well as other forms of attacks.
Four security vulnerabilities affecting a range of Linux and FreeBSD servers were unearthed by a Netflix Information Security researcher, Jonathan Looney. One of the vulnerabilities, dubbed SACK Panic is more dangerous than the others, as it could lead to remotely-triggered kernel panic.
According to the official document, the vulnerabilities relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious one is called SACK Panic, and could allow a remotely-triggered kernel panic on recent Linux kernels.
Here’s a list of the vulnerabilities:
CVE-2019-11477, also known as SACK Panic
The vulnerability affects Linux 2.6.29 and higher.
According to the official description, a sequence of SACKs may be crafted to trigger an integer overflow, leading to a kernel panic. A kernel panic vulnerability means that the operating system is incapable of recovering quickly or, in some cases, at all. This could force a restart of the targeted machine, leading to a temporary shutdown in services.
CVE-2019-11478, also known as SACK Slowness
The vulnerability affects all Linux versions. It can be triggered if an attacker sends a crafted sequence of SACKs which will fragment the TCP retransmission queue. On Linux kernels prior to 4.15, the attacker could be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection, the researchers explain.
CVE-2019-5599, also known as SACK Slowness
The vulnerability affects FreeBSD 12 using the RACK TCP Stack.
An attacker could send a crafted sequence of SACKs which will fragment the RACK send map. The attacker could further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.
CVE-2019-11479, also known as Excess Resource Consumption Due to Low MSS Values
The vulnerability affects all Linux versions.
According to the vulnerability’s official description, an attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This leads to the increase of the bandwidth required to deliver the same amount of data.
Furthermore, additional resources (CPU and NIC processing power) are also consumed. It’s noteworthy that this particular attack requires continued effort from the attacker, with its impact ending shortly after the attacker stops sending traffic.
The good news is that patches and workarounds are available for each vulnerability.