SACK Panic & Slowness: KernelCare patches are on the way - TuxCare

SACK Panic & Slowness: KernelCare patches are on the way

Alexandra Mitroshkina

June 21, 2019

KernelCare Blog

SACK Panic & Slowness: KernelCare patches are on the way

Netflix has a new hit on its hands. They’ve discovered new Linux kernel vulnerabilities and describe how a properly formed TCP network packet can cause the kernel to panic or slow down. There are three kinds. Two affect Linux kernels. (The other is for FreeBSD so won’t be described further.) All are dangerous because they can be executed remotely.

CVE–2019–11477: SACK Panic

This affects all kernels 2.6.29 and older.

It exploits the kernel’s TCP Selective ACKnowledgement feature by adjusting the values of the MSS (Maximum Segment Size). A sequence of packets can cause a kernel panic.

CVE–2019–11478 & CVE–2019–11479: SACK Slowness

The first affects all kernels before 4.15, the second, all Linux versions.

Using a similar technique, the TCP retransmission queue becomes so fragmented that the kernel spends excessive resources managing that TCP connection’s SACK elements, slowing down the CPU.

Mitigation

Although these vulnerabilities have configuration file workarounds, described by Netflix, the recommended mitigation is to apply kernel patches. These are already available and are being made ready for release to KernelCare customers for automatic and rebootless installation. Anyone not using a live patching solution will need to reboot their servers to make use of patches for these vulnerabilities.

 

About KernelCare

KernelCare is a live patching system that patches Linux kernel vulnerabilities automatically, with no reboots. It’s used on over 300,000 servers, and has been used to patch servers running for 6+ years. It works with all major Linux distributions, such as RHEL, CentOS, Amazon Linux, and Ubuntu. It also interoperates with common vulnerability scanners such as Nessus, Tenable, Rapid7, and Qualys. To talk with a consultant about how KernelCare might meet your enterprise’s specific needs, contact us directly at [email protected].

Stay in the Loop

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching