Netflix discovers SACK Panic and other Linux security flaws

Linux penguin

A number of Linux and FreeBSD servers and systems are vulnerable to a denial of service vulnerability dubbed SACK Panic, as well as other forms of attack.

A total of three security flaws were discovered by Jonathan Looney of Netflix Information Security. A series of malicious packets sent to vulnerable system is all it takes to crash or slow them down -- a remotely-triggered kernel panic. Patches and workaround have been released to help plug the holes.

See also:

All three of the flaws are related, and concern the way the Linux kernel handles TCP networking. Red Hat describes SACK Panic as the "most severe" of the trio, warning that it "could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system's availability".

SACK Panic has been assigned  CVE-2019-11477 and its severity is "Important", while the related CVE-2019-11478 and CVE-2019-11479 are merely "Moderate".

The most serious vulnerability affects Red Hat, Debian, Ubuntu, Amazon Web Services and SUSE with Linux kernels 2.6.29 and later.

Patches are available for affected systems, and a workaround has also been suggested. By setting /proc/sys/net/ipv4/tcp_sack to 0, SACK processing is disabled.

More details are available in the security advisory posted on GitHub. Red HatAmazon Web ServicesSUSE and Debian also have helpful resources and information.

Image credit: Stanislaw Mikulski / Shutterstock

3 Responses to Netflix discovers SACK Panic and other Linux security flaws

  1. Enis C. Philpott says:

    "The most serious vulnerability affects...Linux kernels 2.6.29 and later."

    They still have critical vulerabilities from a decade ago lurking in the code? All this time someone thought that re-inventing the wheel while ignoring all those dreary bugs was a swimming idea. I guess someone was wrong.

    • MyDisqussion says:

      At least the Linux community is not holding back the patch until July 9. I'll have to read the exploit proof of concept.

    • ɥʇᴉǝpɹO says:

      "Worse, the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery."

      "Nation-state attackers are watching every commit, looking for an opening, he said, and "people are finding these bugs sometimes immediately when they're introduced".

      -Unsafe at any clock speed: Linux kernel security needs a rethink, Ars Technica

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.