Tag Archives: Red Hat Enterprise Linux

Linux TCP SACK Vulnerabilities June 2019

Earlier this week; Netflix’s Cybersecurity team disclosed 3 denial of service vulnerabilities within the Linux kernels (defined) affecting Amazon AWS, Debian, Red Hat, FreeBSD (only 1 vulnerability affects FreeBSD), SUSE and Ubuntu distributions.

================
TL DR:
If you use Amazon AWS, Debian FreeBSD, Red Hat, SUSE or Ubuntu, please install the relevant vendor updates or implement the workarounds both linked to below.
================

Why should these vulnerabilities be considered important?
All of these vulnerabilities are remotely exploitable. The most serious of which has been given the name “SACK Panic” (CVE-2019-11477) is most likely to be present/enabled in web servers used to run both large and small business or personal websites. Exploiting this issue will lead to your server crashing/becoming unresponsive. It has a CVSS 3 base score of 7.5 (high severity) and with a low complexity for an attacker to leverage.

The second vulnerability CVE-2019-11478 which can cause “SACK Slowness” is also remotely exploitable but is of moderate severity. If an attacker were to create and send a series of SACK packets it can cause the affected Linux systems to use too much resources (both memory and CPU). FreeBSD is vulnerable to a variation of this CVE-2019-5599.

The third and final vulnerability CVE-2019-11479 is again moderate severity causing high resource usage. In this instance; when an attacker would need to set the maximum segment size (MSS) of a TCP connection to it’s smallest limit of 48 bytes and then send a sequence of specially crafted SACK packets.

The name SACK is derived from TCP Selective Acknowledgement (SACK) packets used to speed up TCP re-transmits by informing a sender (in a two-way data transfer) of which data packets have been already been received successfully.

================

How can I protect my organisation or myself from these vulnerabilities?
The affected vendors have released updates or workarounds for these vulnerabilities; links to their advisories and recommended actions are provided below.

At this time, it is not known if Apple macOS (which originated from FreeBSD) is affected. It is not mentioned in any of the advisories. Should an advisory be released it will be available from Apple’s dedicated security page.

================

Amazon AWS:
https://aws.amazon.com/security/security-bulletins/AWS-2019-005/

Debian:
https://security-tracker.debian.org/tracker/CVE-2019-11477

https://security-tracker.debian.org/tracker/CVE-2019-11478

https://security-tracker.debian.org/tracker/CVE-2019-11479

FreeBSD:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/split_limit.patch

RedHat:
https://access.redhat.com/security/vulnerabilities/tcpsack

SUSE:
https://www.suse.com/support/kb/doc/?id=7023928

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic

====================
Updated: 9th July 2019
====================
On the 2nd of July 2019; VMware issued some updates for this set of vulnerabilities that affects it’s products. Further updates are pending. If you use any of the following VMware products, please review this security advisory and apply the updates as they become available:

AppDefense
Container Service Extension
Enterprise PKS
Horizon
Horizon DaaS
Hybrid Cloud Extension
Identity Manager
Integrated OpenStack
NSX for vSphere
NSX-T Data Center
Pulse Console
SD-WAN Edge by VeloCloud
SD-WAN Gateway by VeloCloud
SD-WAN Orchestrator by VeloCloud
Skyline Collector
Unified Access Gateway
vCenter Server Appliance
vCloud Availability Appliance
vCloud Director For Service Providers
vCloud Usage Meter
vRealize Automation
vRealize Business for Cloud
vRealize Code Stream
vRealize Log Insight
vRealize Network Insight
vRealize Operations Manager
vRealize Orchestrator Appliance
vRealize Suite Lifecycle Manager
vSphere Data Protection
vSphere Integrated Containers
vSphere Replication

Thank you.

Intel Lazy Floating Point Vulnerability: What you need to know

====================
Update: 24th July 2018:
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 6:
https://access.redhat.com/errata/RHSA-2018:2164

Red Hat Enterprise Linux 5 and 7:
https://access.redhat.com/solutions/3485131

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-June/022923.html

====================

On Wednesday of last week, a further vulnerability affecting Intel CPUs (defined) was disclosed.

TL;DR: Keep your operating system up to date and you should be fine.

What makes this vulnerability noteworthy?
According to Intel’s security advisory; this is an information disclosure issue. Similar to Spectre/Meltdown the flaw is the result of a performance optimization (used when saving and restoring the current state of applications as a system switches from one application to another). A feature known as Lazy Floating Point (defined) Unit (FPU) is used to save and restore registers (defined) within the CPU used to store floating point numbers (non-integers numbers, namely decimal numbers).

The issue is that these registers may be accessed by another application on the same system. If the registers are storing for example results of performing cryptographic equations for a key you have just created or used to decrypt data, the attacker could use this data to infer what the actual key is. The same applies for any type of data the registers store; that data can be used to infer what the previous contents were via a speculative execution side channel.

This vulnerability has been rated as moderate since it is difficult to exploit via a web browser (in contrast to Spectre) and the updates will be a software update only; no microcode (defined) and/or firmware (defined) updates will be necessary. With exploitation via a web browser being difficult; this vulnerability will likely instead be exploited from the victim system (at attacker will need to have already compromised your system).

How can I protect myself from this vulnerability?
Please note; AMD CPUs are NOT affected by this vulnerability.

The following vendors have responded to this vulnerability with software updates now in progress. Separately Red Hat has completed their updates for Red Hat Linux 5, 6 and 7 (with further applicable updates still in progress).

Other vendors responses are listed below. Thank you:

Amazon Web Services

Apple (currently release notes for an update to macOS to resolve the vulnerability)

DragonFlyBSD

Intel’s Security Advisory

Linux

Microsoft Windows

OpenBSD

Xen Project