Multiple DoS vulnerabilities affect Linux and FreeBSD

Netflix researcher has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels that could trigger a DoS condition.

Jonathan Looney, a security expert at Netflix, found three Linux DoS vulnerabilities, two of them related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities, and one related only to MSS.

The most severe flaw, tracked as SACK Panic, could be exploited to remotely trigger a DOS condition and reboot vulnerable systems. The kernel panic flaw affects recent Linux kernels.

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the security advisory. “The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.”

The denial of service flaw SACK Panic was tracked as CVE-2019-11477 and was rated as important severity, it received a 7.5 CVSS3 base score,

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the Netflix’s NFLX-2019-001 security advisory.

“The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.”

The SACK Panic vulnerability affects Linux kernels 2.6.29 and later, an attacker could exploit it by sending a crafted sequence of SACK segments on a TCP connection with a small value of TCP MSS that will trigger an integer overflow leading to a kernel panic.

“Apply the patch PATCH_net_1_4.patch. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a.patch,” continues Netflix Information Security’s advisory.

Below the advisories published by major Linux distros and cloud service providers:

The good news for Linux users is that most of the issues found by Netflix were already addressed with security patches. Mitigations are also available for those systems that cannot be immediately patched.

Users and administrator can mitigate the flaw by completely disabling SACK processing on the system or blocking connections with a low MSS. Netflix Information Security provided a series of filters to block the connections. Another mitigation consists of disabling TCP probing.

The remaining issued were respectively tracked as CVE-2019-11478 and CVE-2019-11479, both were rated as moderate severity vulnerabilities. The flaws affect all Linux versions. The CVE-2019-11478 issue could be exploitable by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue. The CVE-2019-11479 issue could be exploited by attackers to trigger a DoS state by sending crafted packets with low MSS values to trigger excessive resource consumption.

CVE-2019-5599, aka SACK Slowness, affects FreeBSD 12 using the RACK TCP Stack. An attacker could exploit it by delivering a crafted sequence of SACKs which will fragment the RACK send map.

“It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.” continues the advisory.

CVE-2019-5599 can be addressed by applying “split_limit.patch and set the net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the size of the SACK table.”

Admins could also temporarily disable the RACK TCP stack.

“Good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) can help to limit the impact of attacks against these kinds of vulnerabilities,” concludes Netflix Information Security.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.