Daily Archives: June 21, 2019

Linux TCP SACK Vulnerabilities June 2019

Earlier this week; Netflix’s Cybersecurity team disclosed 3 denial of service vulnerabilities within the Linux kernels (defined) affecting Amazon AWS, Debian, Red Hat, FreeBSD (only 1 vulnerability affects FreeBSD), SUSE and Ubuntu distributions.

================
TL DR:
If you use Amazon AWS, Debian FreeBSD, Red Hat, SUSE or Ubuntu, please install the relevant vendor updates or implement the workarounds both linked to below.
================

Why should these vulnerabilities be considered important?
All of these vulnerabilities are remotely exploitable. The most serious of which has been given the name “SACK Panic” (CVE-2019-11477) is most likely to be present/enabled in web servers used to run both large and small business or personal websites. Exploiting this issue will lead to your server crashing/becoming unresponsive. It has a CVSS 3 base score of 7.5 (high severity) and with a low complexity for an attacker to leverage.

The second vulnerability CVE-2019-11478 which can cause “SACK Slowness” is also remotely exploitable but is of moderate severity. If an attacker were to create and send a series of SACK packets it can cause the affected Linux systems to use too much resources (both memory and CPU). FreeBSD is vulnerable to a variation of this CVE-2019-5599.

The third and final vulnerability CVE-2019-11479 is again moderate severity causing high resource usage. In this instance; when an attacker would need to set the maximum segment size (MSS) of a TCP connection to it’s smallest limit of 48 bytes and then send a sequence of specially crafted SACK packets.

The name SACK is derived from TCP Selective Acknowledgement (SACK) packets used to speed up TCP re-transmits by informing a sender (in a two-way data transfer) of which data packets have been already been received successfully.

================

How can I protect my organisation or myself from these vulnerabilities?
The affected vendors have released updates or workarounds for these vulnerabilities; links to their advisories and recommended actions are provided below.

At this time, it is not known if Apple macOS (which originated from FreeBSD) is affected. It is not mentioned in any of the advisories. Should an advisory be released it will be available from Apple’s dedicated security page.

================

Amazon AWS:
https://aws.amazon.com/security/security-bulletins/AWS-2019-005/

Debian:
https://security-tracker.debian.org/tracker/CVE-2019-11477

https://security-tracker.debian.org/tracker/CVE-2019-11478

https://security-tracker.debian.org/tracker/CVE-2019-11479

FreeBSD:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/split_limit.patch

RedHat:
https://access.redhat.com/security/vulnerabilities/tcpsack

SUSE:
https://www.suse.com/support/kb/doc/?id=7023928

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic

====================
Updated: 9th July 2019
====================
On the 2nd of July 2019; VMware issued some updates for this set of vulnerabilities that affects it’s products. Further updates are pending. If you use any of the following VMware products, please review this security advisory and apply the updates as they become available:

AppDefense
Container Service Extension
Enterprise PKS
Horizon
Horizon DaaS
Hybrid Cloud Extension
Identity Manager
Integrated OpenStack
NSX for vSphere
NSX-T Data Center
Pulse Console
SD-WAN Edge by VeloCloud
SD-WAN Gateway by VeloCloud
SD-WAN Orchestrator by VeloCloud
Skyline Collector
Unified Access Gateway
vCenter Server Appliance
vCloud Availability Appliance
vCloud Director For Service Providers
vCloud Usage Meter
vRealize Automation
vRealize Business for Cloud
vRealize Code Stream
vRealize Log Insight
vRealize Network Insight
vRealize Operations Manager
vRealize Orchestrator Appliance
vRealize Suite Lifecycle Manager
vSphere Data Protection
vSphere Integrated Containers
vSphere Replication

Thank you.