Tag Archives: SUSE

Linux TCP SACK Vulnerabilities June 2019

Earlier this week; Netflix’s Cybersecurity team disclosed 3 denial of service vulnerabilities within the Linux kernels (defined) affecting Amazon AWS, Debian, Red Hat, FreeBSD (only 1 vulnerability affects FreeBSD), SUSE and Ubuntu distributions.

================
TL DR:
If you use Amazon AWS, Debian FreeBSD, Red Hat, SUSE or Ubuntu, please install the relevant vendor updates or implement the workarounds both linked to below.
================

Why should these vulnerabilities be considered important?
All of these vulnerabilities are remotely exploitable. The most serious of which has been given the name “SACK Panic” (CVE-2019-11477) is most likely to be present/enabled in web servers used to run both large and small business or personal websites. Exploiting this issue will lead to your server crashing/becoming unresponsive. It has a CVSS 3 base score of 7.5 (high severity) and with a low complexity for an attacker to leverage.

The second vulnerability CVE-2019-11478 which can cause “SACK Slowness” is also remotely exploitable but is of moderate severity. If an attacker were to create and send a series of SACK packets it can cause the affected Linux systems to use too much resources (both memory and CPU). FreeBSD is vulnerable to a variation of this CVE-2019-5599.

The third and final vulnerability CVE-2019-11479 is again moderate severity causing high resource usage. In this instance; when an attacker would need to set the maximum segment size (MSS) of a TCP connection to it’s smallest limit of 48 bytes and then send a sequence of specially crafted SACK packets.

The name SACK is derived from TCP Selective Acknowledgement (SACK) packets used to speed up TCP re-transmits by informing a sender (in a two-way data transfer) of which data packets have been already been received successfully.

================

How can I protect my organisation or myself from these vulnerabilities?
The affected vendors have released updates or workarounds for these vulnerabilities; links to their advisories and recommended actions are provided below.

At this time, it is not known if Apple macOS (which originated from FreeBSD) is affected. It is not mentioned in any of the advisories. Should an advisory be released it will be available from Apple’s dedicated security page.

================

Amazon AWS:
https://aws.amazon.com/security/security-bulletins/AWS-2019-005/

Debian:
https://security-tracker.debian.org/tracker/CVE-2019-11477

https://security-tracker.debian.org/tracker/CVE-2019-11478

https://security-tracker.debian.org/tracker/CVE-2019-11479

FreeBSD:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/split_limit.patch

RedHat:
https://access.redhat.com/security/vulnerabilities/tcpsack

SUSE:
https://www.suse.com/support/kb/doc/?id=7023928

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic

====================
Updated: 9th July 2019
====================
On the 2nd of July 2019; VMware issued some updates for this set of vulnerabilities that affects it’s products. Further updates are pending. If you use any of the following VMware products, please review this security advisory and apply the updates as they become available:

AppDefense
Container Service Extension
Enterprise PKS
Horizon
Horizon DaaS
Hybrid Cloud Extension
Identity Manager
Integrated OpenStack
NSX for vSphere
NSX-T Data Center
Pulse Console
SD-WAN Edge by VeloCloud
SD-WAN Gateway by VeloCloud
SD-WAN Orchestrator by VeloCloud
Skyline Collector
Unified Access Gateway
vCenter Server Appliance
vCloud Availability Appliance
vCloud Director For Service Providers
vCloud Usage Meter
vRealize Automation
vRealize Business for Cloud
vRealize Code Stream
vRealize Log Insight
vRealize Network Insight
vRealize Operations Manager
vRealize Orchestrator Appliance
vRealize Suite Lifecycle Manager
vSphere Data Protection
vSphere Integrated Containers
vSphere Replication

Thank you.

Vendors Respond to Spectre NG Vulnerabilities

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================