Researchers at Netflix have discovered new denial-of-service (DoS) vulnerabilities in Linux and FreeBSD kernels, including a severe vulnerability called SACK Panic that could allow malicious actors to remotely crash servers and disrupt communications, according to an advisory published at its Github repository.
“The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels,” the advisory stated.
Netflix researchers added that there are patches for most of these vulnerabilities and additional mitigation strategies to consider if patching is not possible.
“The issues have been assigned multiple CVEs: CVE-2019-11477 is considered an Important severity, whereas CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity,” a Red Hat advisory stated.
These flaws can reportedly impact any organization running large fleets of production Linux computers and, if left unpatched, allow remote attackers to take control and crash the machines.
“The Linux TCP SACK vulnerability is a truly serious threat. First, this is a threat to man Internet-facing servers of the big giants of the internet (Google, Amazon, etc.) – and right now the focus is on upgrading the endless servers that are used as the infrastructure for the internet and the countless applications that rely on them,” said Armis’ VP of research, Ben Seri.
“Once the dust settles and the majority of this infrastructure has received the proper patch, many organizations will then need to deal with the long tail of the patching cycle. At the very end of this tail are the devices that don't receive automatic updates and might not receive any update at all – the [internet of things] and unmanaged devices that in many cases are built on top of Linux. This vulnerability also goes back a long time (since Linux v2.6.29, that was released 10 years ago), so the amount of legacy devices that use the vulnerable code will be very significant in this case, and these types of devices are unlikely to receive patches at all.”