Critical Linux and FreeBSD Vulnerabilities Found by Netflix, Including One That Induces Kernel Panic
Netflix researcher Jonathan Looney uncovered four critical vulnerabilities — CVE-2019-11477, CVE-2019-11478, CVE-2019-5599, and CVE-2019-11479 — within the TCP implementations on Linux and FreeBSD kernels. Specifically, the four vulnerabilities are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most concerning among the vulnerabilities discovered is CVE-2019-11477, called SACK Panic, as its abuse could allow an attacker to remotely trigger a kernel panic on recent Linux operating systems.
A published advisory from Netflix said that most of the vulnerabilities can be fixed via available patches, but workarounds can also do the trick if patches can’t be applied.
CVE-2019-11477: A vulnerability for inducing kernel panic
SACK Panic, arguably the most critical, impacts Linux kernels 2.6.29 versions and above. The vulnerability can be exploited via a sequence of SACKs that can be crafted to trigger an integer overflow, which then leads to a kernel panic.
Kernel panic is a fatal error from which the OS cannot quickly or easily recover. An OS in panic displays an error message on the computer screen and writes the kernel memory’s contents to the disk for later debugging. All CPU operation will then be halted.
CVE-2019-11478, CVE-2019-5599, and CVE-2019-11479
CVE-2019-11478, dubbed SACK Slowness, impacts Linux kernels 4.15 versions and below, and all versions to some extent as Excess Resource Usage. Attackers can exploit this vulnerability by sending a crafted sequence of SACKs, which then fragments the TCP retransmission queue. On versions before 4.15, further exploitation can be done to the fragmented queue to cause subsequent SACKs on that same TCP connection to go on an expensive linked-list walk — slowing the system down.
CVE-2019-5599 is another SACK Slowness vulnerability but for FreeBSD 12 installations that are using the RACK TCP Stack. By sending a crafted sequence of SACKs, an attacker can cause the RACK send map to be fragmented. It’s possible for an attacker to further exploit the fragmented send map through the same method for CVE-2019-11478 and with the same effect of system slowdown.
The last vulnerability, CVE-2019-11479, is tagged as Excess Resource Consumption Due to Low MSS Values, and it affects all Linux versions. With this vulnerability, the Linux kernel can be forced to segment its responses into multiple TCP segments, each containing only 8 bytes of data. This process can significantly increase the bandwidth required to deliver the same amount of data and consumes additional resources, i.e., CPU and NIC processing power. It’s worth noting that an attacker would need continuous effort for this attack; otherwise, the system recovers once the attacker stops sending traffic.
Patches and workarounds
The disclosure for the vulnerabilities came with details on how to fix them. Source-code level patches were already made available, along with workarounds, for example, disabling SACK processing functions.
At the time of writing, the following Linux vendors have already released advisories or discussed plans to release fixes:
To learn about the complete requirements and preconditions for mitigating the vulnerabilities, click here.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.