Netflix researcher has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels that could trigger a DoS condition.

Jonathan Looney, a security expert at Netflix, found three Linux DoS vulnerabilities, two of them related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities, and one related only to MSS.

The most severe flaw, tracked as SACK Panic, could be exploited to remotely trigger a DOS condition and reboot vulnerable systems. The kernel panic flaw affects recent Linux kernels.

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the security advisory. “The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.”

The denial of service flaw SACK Panic was tracked as CVE-2019-11477 and was rated as important severity, it received a 7.5 CVSS3 base score,

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the Netflix’s NFLX-2019-001 security advisory.

“The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.”

The SACK Panic vulnerability affects Linux kernels 2.6.29 and later, an attacker could exploit it by sending a crafted sequence of SACK segments on a TCP connection with a small value of TCP MSS that will trigger an integer overflow leading to a kernel panic.

“Apply the patch PATCH_net_1_4 . patch. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a . patch,” continues Netflix Information Security’s advisory.

Below the advisories published by major Linux distros and cloud service providers:

The good news for Linux users is that most of the issues found by Netflix were already addressed with security patches. Mitigations are also available for those systems that cannot be immediately patched.

Users and administrator can mitigate the flaw by completely disabling SACK processing on the system or blocking connections with a low MSS. Netflix Information Security provided a series of filters to block the connections. Another mitigation consists of disabling TCP probing.

The remaining issued were respectively tracked as CVE-2019-11478 and CVE-2019-11479, both were rated as moderate severity vulnerabilities. The flaws affect all Linux versions. The CVE-2019-11478 issue could be exploitable by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue. The CVE-2019-11479 issue could be exploited by attackers to trigger a DoS state by sending crafted packets with low MSS values to trigger excessive resource consumption.

CVE-2019-5599, aka SACK Slowness, affects FreeBSD 12 using the RACK TCP Stack. An attacker could exploit it by delivering a crafted sequence of SACKs which will fragment the RACK send map.

“It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.” continues the advisory.

CVE-2019-5599 can be addressed by applying “split_limit . patch and set the net . inet . tcp . rack . split_limit sysctl to a reasonable value to limit the size of the SACK table.”

Admins could also temporarily disable the RACK TCP stack.

“Good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) can help to limit the impact of attacks against these kinds of vulnerabilities,” concludes Netflix Information Security.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

Share this...

Linkedin Reddit Pinterest

Share On