New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems
The Linux and FreeBSD operating systems contain newly discovered vulnerabilities that make it easy for hackers to remotely crash servers and disrupt communications, researchers have warned. OS distributors are advising users to install patches when available or to make system settings that lower the chances of successful exploits.
The most severe of the vulnerabilities, dubbed SACK Panic, can be exploited by sending a specially crafted sequence of TCP Selective ACKnowledgements to a vulnerable computer or server. The system will respond by crashing, or in the parlance of engineers, entering a kernel panic. Successful exploitation of this vulnerability, tracked as CVE-2019-11477, results in a remote denial of service (DoS).
A second vulnerability also works by sending a series of malicious SACKs that consumes computing resources of the vulnerable system. Exploits most commonly work by fragmenting a queue reserved for retransmitting TCP packets. In some OS versions, attackers can cause what’s known as an “expensive linked-list walk for subsequent SACKs.” This can result in additional fragmentation, which has been dubbed “SACK slowness.” Exploitation of this vulnerability, tracked as CVE-2019-11478, drastically degrades system performance and may eventually cause a complete DoS.
Both of these vulnerabilities exploit the way the OSes handle the above-mentioned TCP Selective ACKnowledgement (abbreviated SACK). SACK is a mechanism that allows a computer on the receiving end of a communication to apprise the sender of what segments have been successfully sent so that any lost ones can be resent. The parties set up the use of SACK during the three-way handshake that establishes the initial connection. The exploits work by overflowing a queue that stores received packets.
A vulnerability in FreeBSD 12 (tracked as CVE-2019-5599) works similarly to CVE-2019-11478 but instead interacts with the RACK send map of that OS.
A fourth vulnerability, tracked as CVE-2019-11479, can slow down affected systems by lowering the maximum segment size for a TCP connection. The setting causes vulnerable systems to send responses across multiple TCP segments, each of which contains only 8 bytes of data. Exploits cause the system to consume large amounts of bandwidth and resources in a way that degrades system performance. Maximum segment size is a setting contained in the header of a TCP packet that specifies the total amount of data contained in a reconstructed segment.
Thanks, Netflix
The vulnerabilities were discovered by researchers from Netflix and publicly reported Monday in a disclosure that was coordinated with the affected OS developers. Linux distributions have either released patches that fix the vulnerabilities or have recommended configuration changes that mitigate them. Workarounds include blocking connections with a low MSS, disabling SACK processing, or temporarily disabling the RACK TCP stack. These changes may break legitimate connections, and in the case of the RACK TCP stack being disabled, an attacker still may be able to cause an expensive linked-list walk for subsequent SACKs received for the same TCP connection.
The above-linked Netflix disclosure and this post from security firm Tenable are good places to get additional details. Affected OS users should consult with the developers of their distribution. Redhat has a good write-up here, and write-ups from Ubuntu and Amazon are here and here.