Multiple Linux and FreeBSD DoS Vulnerabilities Found by Netflix

A denial of service flaw found in the way recent Linux kernels handle TCP networking can be exploited by remote attackers to trigger a kernel panic in vulnerable systems.

In all, Netflix Information Security's Jonathan Looney found three Linux vulnerabilities, two related to "the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities," and one related only to MSS, with the most serious one named SACK Panic being the one that can cause affected systems to panic and reboot. 

As per Red Hat, the issues which impact the kernel's TCP processing subsystem are tracked via multiple CVEs, with CVE-2019-11477 SACK Panic having been assigned an important severity with a 7.5 CVSS3 base score, while CVE-2019-11478 and CVE-2019-11479 are considered to be moderate severity vulnerabilities.

Patches are already available as detailed in Netflix's NFLX-2019-001 security advisory, with mitigation measures also being available for machines where patching is not an immediate or easy option.

The SACK Panic security flaw

The SACK Panic vulnerability (Debian, Red Hat, Ubuntu, Suse, AWS) impacts Linux kernels 2.6.29 and later, and it can be exploited by "sending a crafted sequence of SACK segments on a TCP connection with small value of TCP MSS" which will trigger an integer overflow.

To fix the issue, "Apply the patch PATCH_net_1_4.patch. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a.patch," says Netflix Information Security's advisory.

To mitigate the issue, users and administrator can completely disable SACK processing on the system (by setting /proc/sys/net/ipv4/tcp_sack to 0) or block connections with a low MSS using the filters provided by Netflix Information Security HERE — the second mitigation measure will only be effective when TCP probing is also disabled.

More denial of service vulnerabilies

The other two vulnerabilities impact all Linux versions, with CVE-2019-11478 (dubbed SACK Slowness) being exploitable by sending "a crafted sequence of SACKs which will fragment the TCP retransmission queue," while CVE-2019-11479 allows attackers to trigger a DoS state by sending "crafted packets with low MSS values to trigger excessive resource consumption."

CVE-2019-5599 is the FreeBSD counterpart of CVE-2019-11478, it impacts FreeBSD 12 installations using the RACK TCP Stack and it can be abused by delivering "a crafted sequence of SACKs which will fragment the RACK send map."

Luckily, as explained by FreeBSDHelp, FreeBSD 12 does not have RACK enabled by default and requires a custom kernel to be toggled on.

Linux and FreeBSD admins and users can fix the first one can by applying PATCH_net_2_4.patch, and the second one with the PATCH_net_3_4.patch and PATCH_net_4_4.patch security patches. CVE-2019-5599 can be patched by applying "split_limit.patch and set the net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the size of the SACK table."

As workarounds, both CVE-2019-11478 and CVE-2019-11479 can be mitigated by blocking remote network connections with a low MSS with Netflix Information Security-supplied filters available HERE — applying the filters might subsequently break low MMS legitimate connections. The FreeBSD flaw can be mitigated by simply toggling off the RACK TCP stack.

"The extent of impact is understood to be limited to denial of service at this time. No privilege escalation or information leak is currently suspected," says Red Hat.

"Good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) can help to limit the impact of attacks against these kinds of vulnerabilities," also notes Netflix Information Security in its advisory.

---

Update: Added comments from FreeBSDHelp.