Netflix has a new hit on its hands. They’ve discovered new Linux kernel vulnerabilities and describe how a properly formed TCP network packet can cause the kernel to panic or slow down. There are three kinds. Two affect Linux kernels. (The other is for FreeBSD so won’t be described further.) All are dangerous because they can be executed remotely.

CVE–2019–11477: SACK Panic

This affects all kernels 2.6.29 and older.

It exploits the kernel’s TCP Selective ACKnowledgement feature by adjusting the values of the MSS (Maximum Segment Size). A sequence of packets can cause a kernel panic.

CVE–2019–11478 & CVE–2019–11479: SACK Slowness

The first affects all kernels before 4.15, the second, all Linux versions.

Using a similar technique, the TCP retransmission queue becomes so fragmented that the kernel spends excessive resources managing that TCP connection’s SACK elements, slowing down the CPU.

Mitigation

Although these vulnerabilities have configuration file workarounds, described by Netflix, the recommended mitigation is to apply kernel patches. These are already available and are rolling out over the weekend to KernelCare customers for automatic and rebootless installation. Anyone not using a live patching solution will need to reboot their servers to make use of patches for these vulnerabilities.

KernelCare Patches released to production:

  • CentOS 6
  • CentOSPlus for CentOS 6
  • CentOS 7
  • CentOSPlus for CentOS 7
  • CloudLinux OS 6
  • Cloud Linux 6 hybrid
  • CloudLinux OS 7
  • Debian 8
  • Debian 9
  • Ubuntu 14.04 LTS (Trusty Tahr)
  • Ubuntu 16.04 LTS (Xenial Xerus)
  • Ubuntu 18.04 LTS (Bionic Beaver)
  • Oracle Enterprise Linux 
  • Oracle Enterprise Linux 6
  • Oracle Enterprise Linux 7
  • OpenVZ
  • Proxmox VE
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Amazon Linux 1
  • Amazon Linux 2

Patches from the production feed will be applied automatically.

Right now KernelCare team is working on patches for:

  • Oracle UEK 3
  • Oracle UEK 4
  • Oracle UEK 5

2 comments

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Have Questions?

If you'd like to schedule a demo of KernelCare, have questions, or with trial and sales inquiries, please call us at +1 (800) 231-7307, email sales@cloudlinux.com, or fill out this form.