Recently, Netflix researchers have identified 4 serious security flaws in Linux and FreeBSD that could cause a huge wreck in data centers. The announcement comes from Netflix's engineering manager, Jonathan Looney.
The vulnerabilities, dubbed SACK Panic, make it easy for hackers to remotely crash servers and disrupt communications. It can be exploited by sending a specially crafted sequence of TCP Selective ACKnowledgements (abbreviated SACK) to a vulnerable computer or server.
SACK is a mechanism that allows a computer on the receiving end of communication to apprise the sender of what segments have been successfully sent so that any lost ones can be resent.
These vulnerabilities may break legitimate connections, and in the case of the RACK TCP stack being disabled, an attacker may still be able to cause an expensive linked-list walk for subsequent SACKs received for the same TCP connection. The system will respond by crashing, entering a kernel panic. Successful exploitation of this vulnerability, tracked as CVE-2019-11477, results in a remote denial of service (DoS).
In some OS versions, attackers can cause what’s known as an “expensive linked-list walk for subsequent SACKs.” This can result in additional fragmentation, which has been dubbed “SACK slowness.” The exploitation of this vulnerability tracked as CVE-2019-11478.
The other vulnerability, tracked as CVE-2019-11479, can slow down affected systems by lowering the maximum segment size for a TCP connection. With this setting, an attacker can force the Linux kernel to segment its responses into multiple 8 byte TCP segments, drastically increasing the bandwidth required to deliver the same amount of data while also consuming additional CPU and NIC processing power.
Linux or FreeBSD 12 system users are strongly encouraged to apply the patches available on GitHub that address the vulnerabilities. Also, the researchers suggest that affected OS users should consult with the developers of their distribution.
Stock photo from pixinoo