The security engineers Netflix discovered and reported TCP protocol vulnerabilities in FreeBSD and Linux kernels. Among these vulnerabilities, the most serious is "SACK Panic", which allows an attacker to remotely attack Linux kernels.
In total, four vulnerabilities related to maximum segment size (MSS) and TCP Selective Acknowledgement (SACK) were found. MSS is a parameter of the TCP header of a packet, which determines the total quantity data, which can take a computer to a single TCP partition. SACK is a mechanism that enables the recipient of data to notify the sender of all the segments that have been successful.
Later, Red Hat described these vulnerabilities, history and patches. Red Hat said that exploitation of vulnerabilities has been limited to some denial-of-service attacks. He added that there is no evidence to prove that the vulnerabilities were used to leak data or to obtain full control of the infected systems.
Here are two of the vulnerabilities that were published:
SACK Panic (CVE-2019-11477)
Sack Panic, as we said above, is the most serious of the four vulnerabilities. A hacker can exploit it and cause an overflow integer by sending a constructed SACKs sequence to a TCP connection with a low MSS value. This causes malfunction in the operating system and there is difficulty in restoring it to its normal state. It is necessary to restart, thus causing a denial-of-service attack.
The SACK Panic vulnerability was detected in Linux 2.6.29 and in newer publications.
Excessive resource consumption due to low MSS rates (CVE-2019-11479)
An attacker can force the Linux kernel to divide its responses into multiple TCP segments that host 8 bytes of data. This results in a higher bandwidth for the same volume of data.
This vulnerability has been detected on all Linux editions.
The Netflix team reported patches for specific vulnerabilities and suggested some ways to address official report.
Red Hat has announced that it will release a "kpatch" that will be available to all of its customers using supported versions of Red Hat Enterprise Linux 7 or later. The company advises customers who use affected versions to update immediately as soon as it is released. More information on troubleshooting steps is available at official Red Hat website.