Netflix discovers SACK Panic and other Linux security flaws

A number of Linux and FreeBSD servers and systems are vulnerable to a denial of service vulnerability dubbed SACK Panic, as well as other forms of attack.

A total of three security flaws were discovered by Jonathan Looney of Netflix Information Security. A series of malicious packets sent to vulnerable system is all it takes to crash or slow them down -- a remotely-triggered kernel panic. Patches and workaround have been released to help plug the holes.

See also:

• Microsoft advises Azure customers to update Exim to avoid a Linux worm
• OpenMandriva Lx 4.0 Linux distro is here, and there is a special AMD-only version
• Microsoft Edge could come to Linux

All three of the flaws are related, and concern the way the Linux kernel handles TCP networking. Red Hat describes SACK Panic as the "most severe" of the trio, warning that it "could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system's availability".

SACK Panic has been assigned  CVE-2019-11477 and its severity is "Important", while the related CVE-2019-11478 and CVE-2019-11479 are merely "Moderate".

The most serious vulnerability affects Red Hat, Debian, Ubuntu, Amazon Web Services and SUSE with Linux kernels 2.6.29 and later.

Patches are available for affected systems, and a workaround has also been suggested. By setting /proc/sys/net/ipv4/tcp_sack to 0, SACK processing is disabled.

More details are available in the security advisory posted on GitHub. Red Hat, Amazon Web Services, SUSE and Debian also have helpful resources and information.

Image credit: Stanislaw Mikulski / Shutterstock