Overview
Recently, Red Hat released a security bulletin, pointing out multiple TCP-based remote denial-of-service vulnerabilities in the Linux kernel, namely, a SACK Panic vulnerability of important severity and two other vulnerabilities of moderate severity.
Reference:
https://access.redhat.com/security/vulnerabilities/tcpsack
Vulnerability Overview
CVE-2019-11477 SACK Panic
CVE-2019-11477 is an integer overflow vulnerability called SACK Panic, which can be triggered by a remote attacker by sending a sequence of Selected Acknowledgement (SACK) TCP packets to a vulnerable system, possibly leading to a system crash. Successful exploitation of this vulnerability will cause denial-of-service (DoS) conditions to affected systems.
- Affected versions:
Linux kernel >= 2.6.29
- Stable kernel versions that have fixed this vulnerability:
Linux kernel 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11
Solutions:
Use the detection script given in the following link to check whether your current system is vulnerable:
https://access.redhat.com/security/vulnerabilities/tcpsack
Apply patches:
PATCH_net_1_4.patch fixes the vulnerability in Linux kernel >= 2.6.29 and can be found in the following link:
Linux kernel >= 4.14 needs a second patch, PATCH_net_1a.patch:
Alternatively, disable SACK by setting /proc/sys/net/ipv4/tcp_sack to 0.
For more mitigations, please visit:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
CVE-2019-11478 SACK Slowness or Excess Resource Usage
CVE-2019-11478 is an excess resource usage vulnerability, which can be triggered by a remote attacker by sending a sequence of SACK TCP packets, leading to fragmentation of the TCP retransmission queue. Besides, on a Linux kernel before 4.15, an attacker can further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for the same TCP connection, adding to the fragmentation. That is why this vulnerability is called “SACK slowness”. Successful exploitation of this vulnerability will have a significant impact on the system performance and may cause a denial of service.
- Affected versions:
SACK slowness affects Linux kernel earlier than 4.15
Excess resource usage affects all version of the Linux kernel
- Stable kernel versions that have fixed this vulnerability:
Linux kernel 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11
Solutions:
Apply PATCH_net_2_4.patch:
Alternatively, disable SACK by setting /proc/sys/net/ipv4/tcp_sack to 0.
For more mitigations, please visit:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
CVE-2019-11479
CVE-2019-11479 is an excess resource usage vulnerability, which can be triggered by a remote attacker by setting a low value for the Maximum Segment Size (MSS) to cause a vulnerable system to utilize excessive bandwidths and resources. Successful exploitation of this vulnerability will cause an affected system to run with the maximum resource usage, thus degrading the system performance.
- Affected versions:
All versions of the Linux kernel
- Stable kernel versions that have fixed this vulnerability:
Linux kernel 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11
Solutions:
Apply PATCH_net_3_4.patch (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_3_4.patch) and PATCH_net_4_4.patch (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_4_4.patch).
For more mitigations, please visit:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
https://helpx.adobe.com/security/products/acrobat/apsb18-09.html
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
https://www.nsfocusglobal.com.
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.