www.belgium.be Logo of the federal government

Multiple TCP-based remote denial of service vulnerabilities in FreeBSD and Linux Kernels

Reference: 
Advisory #2019-016
Version: 
1.0
Affected software: 
Linux kernels 2.6.29 and later
Linux < 4.15
FreeBSD 12 using the RACK TCP Stack
Type: 
Remote denial of service vulnerabilities
CVE/CVSS: 

  • CVE-2019-11477

  • CVE-2019-11478

  • CVE-2019-11479

  • CVE-2019-5599

Date: 
20/06/2019

Sources

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

https://www.bleepingcomputer.com/news/security/multiple-linux-and-freebsd-dos-vulnerabilities-found-by-netflix/

Risks

An attacker can remotely cause a denial of service on several vulnerable Linux distributions. One of the vulnerabilities, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

Description

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

The vulnerabilities are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.

There are unofficial patches that address most of these vulnerabilities and a series of mitigations posted on Netflix GitHub’s repository.

One of the vulnerabilities, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

Recommended Actions

As the time of writing, no patches are yet available. However, Netflix published some mitigations on their GitHub page:

•  

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

CERT.be recommends systems administrators to monitor the GitHub repository of the vulnerabilities and perform a risk analysis and testing to determine if the workarounds can be implemented.

CERT.be recommends systems administrators to patch the vulnerabilities once a patch has been made available by the vendor after careful testing.