Multiple TCP-based remote denial of service vulnerabilities in FreeBSD and Linux Kernels
-
CVE-2019-11477
-
CVE-2019-11478
-
CVE-2019-11479
-
CVE-2019-5599
Sources
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Risks
An attacker can remotely cause a denial of service on several vulnerable Linux distributions. One of the vulnerabilities, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
Description
Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
The vulnerabilities are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.
There are unofficial patches that address most of these vulnerabilities and a series of mitigations posted on Netflix GitHub’s repository.
One of the vulnerabilities, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
Recommended Actions
As the time of writing, no patches are yet available. However, Netflix published some mitigations on their GitHub page:
•
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
CERT.be recommends systems administrators to monitor the GitHub repository of the vulnerabilities and perform a risk analysis and testing to determine if the workarounds can be implemented.
CERT.be recommends systems administrators to patch the vulnerabilities once a patch has been made available by the vendor after careful testing.