TCP SACK PANIC Kernel Vulnerabilities Reported by Netflix Researchers

On June 17th, Researchers at Netflix have identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

Issue Reported On17-June-2019
Fix Released On17-June-2019
Severity LevelCritical
Affected PackagesKernel
Reported ByNetflix Researchers (NFLX-2019-001)

Overview:

On June 17th, Researchers at Netflix have identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The same has been published an advisory (NFLX-2019-001) to its GitHub repository.

They have discovered four Transmission Control Protocol (TCP) networking vulnerabilities in the Linux and FreeBSD kernels, which included a critical vulnerability called “SACK Panic” that could result in new remote denial of service, kernel panic and resource consumption vulnerabilities on recent Linux kernels.

There are patches were already released in most of the Linux distributions. It can be corrected either through applying mitigations or kernel patches.

Affected Operating System & Version:

Operating System Name/Version/Code NameFixed Package Version
Red Hat Enterprise Linux 6/7/8kernel
Oracle Enterprise Linux 6/7kernel
Fedora 29/30kernel
CentOS 6/7kernel
Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04kernel
SUSE Linux Enterprise 12 SP4kernel
Slackware 14.2kernel
openSUSE Leap 42.3kernel
Debian 8/9kernel

First three vulnerabilities were belongs to Linux and the last one is for FreeBSD.

  • CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
  • CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
  • CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)
  • CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

The above three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size.

Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.

What is a selective acknowledgement?

TCP Selective Acknowledgment (SACK) is a mechanism where the data receiver can inform the sender about all the segments that have successfully been accepted. This allows the sender to retransmit only the missing segments again.

When TCP SACK is disabled then the sender needs to be retransmits the entire segments once again because sender don’t get the proper details from receiver (only missing segments).

What is MSS?

The maximum segment size (MSS) is a parameter set in the TCP header of a packet that specifies the total amount of data contained in a reconstructed TCP segment. To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP and TCP header sizes.

Socket Buffer (SKB)?

Socket Buffer (SKB) is the most central data structure used in the Linux TCP/IP implementation. It is a linked list of buffers, which holds network packets. Such list can act as a Transmission queue, Receive queue, SACK’d queue, Retransmission queue, etc. SKB can hold packet data into fragments. Linux SKB can hold up to 17 fragments.

CVE-2019-11477:

An integer overflow flaw was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented. Each fragment is about TCP maximum segment size (MSS) bytes. To efficiently process SACK blocks, the Linux kernel merges multiple fragmented SKBs into one, potentially overflowing the variable holding the number of segments. A remote attacker could use this flaw to crash the Linux kernel by sending a crafted sequence of SACK segments on a TCP connection with small value of TCP MSS, resulting in a denial of service (DoS).

CVE-2019-11478:

An excessive resource consumption flaw was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.

CVE-2019-11479:

An excessive resource consumption flaw was found in the way the Linux kernel’s networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel’s resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.

CVE-2019-5599:

It is similar to CVE-2019-11478, in that sending a sequence of SACKs will result in fragmentation, but this vulnerability impacts the RACK send map in the RACK TCP stack on FreeBSD 12.

Solution:

Refer the following Link to verify the installed security updates on Red hat (RHEL) and CentOS Systems.

This issue has been fixed and update is available in red hat distributions repository.

The installed security fixes can be verified in the package change log using the following command.

# rpm -q --changelog kernel | grep -i "CVE-2019-11477\|CVE-2019-1147\|CVE-2019-11479"

Run the following command to install the above updates in Debian/Ubuntu Systems.

$ sudo apt install --only-upgrade kernel*
or
$ sudo apt install unattended-upgrades

The installed security fixes can be verified in the package change log using the following methods.

Using manual method.

$ zgrep -i "CVE-2019-11477\|CVE-2019-1147\|CVE-2019-11479" /usr/share/doc/kernel*/changelog.Debian.gz

Using debsecan command.

$ debsecan | grep "CVE-2019-11477\|CVE-2019-1147\|CVE-2019-11479"

Leave a Reply

Your email address will not be published. Required fields are marked *