ProHoster > Blog > internet news > Vulnerabilities in Linux and FreeBSD TCP stacks leading to remote denial of service

Vulnerabilities in Linux and FreeBSD TCP stacks leading to remote denial of service

Netflix has revealed several critical vulnerabilities in the Linux and FreeBSD TCP stacks, which allow you to remotely initiate a kernel crash or cause excessive resource consumption when processing specially crafted TCP packets (packet-of-death). Problems cause of bankruptcy in the United States. errors in the handlers of the maximum data block size in a TCP packet (MSS, Maximum segment size) and the mechanism for selective acknowledgment of connections (SACK, TCP Selective Acknowledgment).

  • CVE-2019-11477 (SACK Panic) - the problem manifests itself in Linux kernels starting from 2.6.29 and allows you to cause a crash (panic) of the kernel by sending a series of SACK packets due to the occurrence of an integer overflow in the handler. To attack, it is enough to set the MSS value of 48 bytes for the TCP connection (the lower limit, sets the segment size to 8 bytes) and send a sequence of specially arranged SACK packets.

    As security workarounds, you can disable SACK processing (write 0 to /proc/sys/net/ipv4/tcp_sack) or to block low MSS connections (only works when sysctl net.ipv4.tcp_mtu_probing is set to 0 and may break some normal low MSS connections);

  • CVE-2019-11478 (SACK Slowness) - leads to a violation of the SACK mechanism (when using a Linux kernel earlier than 4.15) or excessive resource consumption. The problem manifests itself in the processing of specially crafted SACK packets, which can be used to fragment the retransmission queue (TCP retransmission). The security workarounds are similar to the previous vulnerability;
  • CVE-2019-5599 (SACK Slowness) - allows you to cause fragmentation of the map of sent packets when processing a special SACK sequence within a single TCP connection and cause a resource-intensive operation to enumerate the list. The problem appears in FreeBSD 12 with the RACK packet loss detection mechanism. As a workaround, you can disable the RACK module;
  • CVE-2019-11479 - An attacker can cause the Linux kernel to split responses into several TCP segments, each of which includes only 8 bytes of data, which can lead to a significant increase in traffic, an increase in CPU load and clogging of the communication channel. Recommended as a workaround to block connections with low MSS.

    Issues in the Linux kernel have been fixed in releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11. A fix for FreeBSD is available as patch. In distributions, kernel package updates have already been released for Debian, RHEL, SUSE/openSUSE. Correction in progress in Ubuntu, Fedora ΠΈ Arch Linux.

    Source: opennet.ru

    • Add a comment