The CERT Coordination Center (CERT/CC) has released a security advisory for multiple “SACK Panic” vulnerabilities that impact Linux kernels. In addition, a related flaw also impacts FreeBSD.
According to the CERT/CC notice, the vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels. In particular, there are three vulnerabilities related to TCP Selective Acknowledgement (SACK). While another vulnerability impacts Maximum Segment Size (MSS) networking.
Each of the flaws were discovered by Jonathan Looney from the Netflix Information Security team.
CVE-2019-11477 – “SACK Panic”
First, the “SACK Panic” vulnerability CVE-2019-11477 could allow a remote attacker to cause a kernel crash (“panic”) or excessive resource consumption leading to a delay or denial of service.
To add, one of the Linux vendors Ubuntu said CVE-2019-11477 is the highest severity issue and affects all current Ubuntu releases. The company also recommended organizations upgrade to the latest kernel package as soon as possible.
CVE-2019-11478 – “SACK Slowness”
The second bug CVE-2019-11478 could result in SACK Slowness (Linux versions less than 4.15) or excess resource usage (all Linux versions). In other words, specifically crafted SACK packets may cause a fragmented TCP queue, which could then cause system slowness and denial of service.
CVE-2019-11479 – MSS Networking
The third flaw CVE-2019-11479 could also cause remote denial of service and resource excess resource usage. However, this issue is mainly caused by a low maximum segment size (MSS) networking value hard-coded to only 48 bytes.
Consequently, the result could lead to an increase in fragmented packets and system slowness.
This issue impacts all Linux versions.
CVE-2019-5599 – “SACK Slowness”
Finally, CVE-2019-5599 is similar to CVE-2019-11478 in terms of how sending a sequence of SACKs can result in fragmentation. However, this issue impacts FreeBSD 12, which uses Recent ACKnowledgment (RACK) TCP stack. RACK uses time and packet or sequence counts to detect losses.
Multiple vendors have provided patches or guidelines to address the vulnerabilities, to include but not limited to:
- FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:08.rack.asc
- Red Hat, Inc.: https://access.redhat.com/security/vulnerabilities/tcpsack
- SUSE Linux: https://www.suse.com/c/suse-addresses-the-sack-panic-tcp-remote-denial-of-service-attacks/
- Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
- Debian GNU/Linux: https://www.debian.org/security/2019/dsa-4465.
Readers should check back with these vendors and other Linux-related distributions for the latest SACK panic and related vulnerability updates.
Updated 6/23/19: This article was updated to include latest vendor security advisories and information related to each of the vulnerabilities.