“Sad SACK” network protection

Netflix has identified several vulnerabilities in the TCP networking stack that affects all Linux users with un-patched kernels. The vulnerabilities have been assigned CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479.

All three issues have already been mitigated for all our VPS customers.

The original advisory says...

The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels

We are not aware of anyone abusing this exploit yet, however that is likely to change rapidly over the next few days. More information is available below.

For VPS customers who are sensitive to reboots, or who are otherwise not able to use the patched kernels, we have rolled out firewall rules on all our hosts to mitigate the issues from these CVEs.

Linux kernel developers have released patches for supported kernels, updated 4.14 and 4.19 VPS kernels are now tested and available for all our VPS customers. Anyone using those kernels can reboot from our control panel to get the newest kernel release for their server.

Customers who do not wish to change their kernel to the latest, can also add a firewall rule to block packets with small MSS values, like the below command. This will workaround all three CVEs. We recommend this as the best method.

iptables -t raw -I PREROUTING -p tcp -m tcpmss --mss 1:500 -j DROP

Alternatively, disable SACK processing:

sysctl -w /proc/sys/net/ipv4/tcp_sack=0

The following links offer advice specific to the key distributions we support. Please open a support ticket if you have any questions that relate to your services with us.







About Glenn Enright

Linux Systems Administrator at RimuHosting.com. I focus mainly on dedicated server provisioning with a sprinkling of network administration.
This entry was posted in Security and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply