SACK Panic & Slowness: KernelCare patches are on the way

Netflix has a new hit on its hands. They’ve discovered new Linux kernel vulnerabilities and describe how a properly formed TCP network packet can cause the kernel to panic or slow down. There are three kinds. Two affect Linux kernels. (The other is for FreeBSD so won’t be described further.) All are dangerous because they can be executed remotely.

CVE–2019–11477: SACK Panic

This affects all kernels 2.6.29 and older.

It exploits the kernel’s TCP Selective ACKnowledgement feature by adjusting the values of the MSS (Maximum Segment Size). A sequence of packets can cause a kernel panic.

CVE–2019–11478 & CVE–2019–11479: SACK Slowness

The first affects all kernels before 4.15, the second, all Linux versions.

Using a similar technique, the TCP retransmission queue becomes so fragmented that the kernel spends excessive resources managing that TCP connection’s SACK elements, slowing down the CPU.

Mitigation

Although these vulnerabilities have configuration file workarounds, described by Netflix, the recommended mitigation is to apply kernel patches. These are already available and are being made ready for release to KernelCare customers for automatic and rebootless installation. Anyone not using a live patching solution will need to reboot their servers to make use of patches for these vulnerabilities.

About KernelCare

KernelCare is a live patching system that patches Linux kernel vulnerabilities automatically, with no reboots. It’s used on over 300,000 servers, and has been used to patch servers running for 6+ years. It works with all major Linux distributions, such as RHEL, CentOS, Amazon Linux, and Ubuntu. It also interoperates with common vulnerability scanners such as Nessus, Tenable, Rapid7, and Qualys. To talk with a consultant about how KernelCare might meet your enterprise’s specific needs, contact us directly at [email protected].