SACK Panic & Slowness: KernelCare patches are on the way
Netflix has a new hit on its hands. They’ve discovered new Linux kernel vulnerabilities and describe how a properly formed TCP network packet can cause the kernel to panic or slow down. There are three kinds. Two affect Linux kernels. (The other is for FreeBSD so won’t be described further.) All are dangerous because they can be executed remotely.
CVE–2019–11477: SACK Panic
This affects all kernels 2.6.29 and older.
It exploits the kernel’s TCP Selective ACKnowledgement feature by adjusting the values of the MSS (Maximum Segment Size). A sequence of packets can cause a kernel panic.
CVE–2019–11478 & CVE–2019–11479: SACK Slowness
The first affects all kernels before 4.15, the second, all Linux versions.
Using a similar technique, the TCP retransmission queue becomes so fragmented that the kernel spends excessive resources managing that TCP connection’s SACK elements, slowing down the CPU.
Although these vulnerabilities have configuration file workarounds, described by Netflix, the recommended mitigation is to apply kernel patches. These are already available and are rolling out over the weekend to KernelCare customers for automatic and rebootless installation. Anyone not using a live patching solution will need to reboot their servers to make use of patches for these vulnerabilities.
KernelCare Patches released to production:
- CentOS 6
- CentOSPlus for CentOS 6
- CentOS 7
- CentOSPlus for CentOS 7
- CloudLinux OS 6
- Cloud Linux 6 hybrid
- CloudLinux OS 7
- Debian 8
- Debian 9
- Ubuntu 14.04 LTS (Trusty Tahr)
- Ubuntu 16.04 LTS (Xenial Xerus)
- Ubuntu 18.04 LTS (Bionic Beaver)
- Oracle Enterprise Linux
- Oracle Enterprise Linux 6
- Oracle Enterprise Linux 7
- Proxmox VE
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Amazon Linux 1
- Amazon Linux 2
Patches from the production feed will be applied automatically.
Right now KernelCare team is working on patches for:
- Oracle UEK 3
- Oracle UEK 4
- Oracle UEK 5