Netflix finds multiple in the Linux and FreeBSD kernel TCP stacks
Organizations that use Linux computers extensively in production environments need to urgently patch several new patches in order to prevent remote attacks from causing system crashes. There are three flaws affecting the way the Linux kernel handles TCP networks, and one affecting the FreeBSD TCP stack.
CVE-2019-11477 is the four most serious defects, known as
A remote attacker can exploit this vulnerability to trigger a Kernel panic that could cause a computer crash, thereby causing a denial of service. It affects Linux kernel version 2.6.29 and higher than 2.6.29.
Netflix posted BUG details on Github and characterized them as extremely serious vulnerabilities. Red Riding Hood (RedHat) himself rated SACK Panic as serious, and the rest of the error was considered to be
However, Netflix's heavy rating of these BUGs would be appropriate if remote attackers could capture the Linux hosts hosted by the streaming giant hosted on the Amazon Cloud (AWS) infrastructure.
AWS official website
In this regard, AWS has released three updates (), AWS Elastic Beanstalk, Amazon Linux, and Linux-based EC2 instances. Amazon Linux Workspaces and Amazon's Kubernetes container services will be affected by these BUGs.
Some services, such as Amazon Elastic Cache, will not be successful if they use the default configuration, but will be affected if the user changes the default configuration.
Several other BUGs, including CVE-2019011478, also known as SACK Slowness, affect systems with Linux kernels below version 4.15; FreeBSD12 is affected by another SACK Slowness vulnerability, CVE-2019-5599; CVE-2019-11479 can lead to excessive resource consumption of the system.
These three linux defects are related to and affected by how the kernel handles TCP SACK packets with low maximum message segment length (MSS). In its announcement, RedHat noted that the impact was limited to
SACK is a mechanism for improving network inefficiency caused by TCP packet loss between sender and receiver.
Engineers who drafted the IETF standard for SACK explained:
According to Red Hat, since the data structure used in Linux TCP implementation is called socket buffer (SKB), the data structure can accommodate up to 17 packet data fragments, which may cause system crash.
Once SKB reaches the upper limit, the result may be a Kernel panic event. Another factor is the maximum message segment length (MSS), or the maximum size parameter specifying the maximum number of data to be loaded, which specifies the total amount of data contained in the reconstructed TCP segment. Or the maximum size parameter for the maximum number of data to be loaded, which is used to specify the total amount of data contained in the reconstructed TCP segment.
So far, Red Hat, Amazon Web Services, SUSE, grsecurity, Ali Yun, Tencent Yun, Huawei Yun and other official announcements have been issued.
On June 18, 2019, Aliyun Emergency Response Center monitored a security research organization abroad to disclose that TCP SACK mechanism of Linux kernel has defects, which can lead to Remote Denial of service. CVE numbers are CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479.
Linux kernel 2.6.29 and later versions have defects in handling TCP SACK mechanism, resulting in integer overflow vulnerabilities. An attacker can construct specific SACK packages, trigger Linux server kernel module overflow vulnerabilities remotely, and implement remote denial of service attacks.
High risk of CVE-2019-11477
CVE-2019-11478 Medium Risk
CVE-2019-11479 Medium Risk