Netflix spots and patches Linux kernel vulnerabilities

News by Rene Millman

The flaws could allow hackers to trigger a kernel panic in systems and throw them offline

Security researchers at Netflix have discovered several flaws in the FreeBSD and Linux kernels that could allow hackers to trigger a kernel panic in systems and throw them offline.

According to a security advisory published by Red Hat, the first two are related to the Selective Acknowledgement (SACK) packets combined with Maximum Segment Size (MSS), the third solely with the Maximum Segment Size (MSS).

"The extent of impact is understood to be limited to denial of service at this time. No privilege escalation or information leak is currently suspected," said the advisory.

The most important of the vulnerabilities (CVE-2019-11477), affects Linux kernels 2.6.29 versions and above. An attacker could remotely trigger a kernel panic, which the operating system cannot easily recover from.

"A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic," Netflix said in an advisory.

The PATCH_net_1_4.patch fixes the issue. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a.patch.

A second problem CVE-2019-11478, causes SACK slowness in Linux versions below 4.15, or excess resource usage (all Linux versions). PATCH_net_2_4.patch fixes the issue.

"It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue," Netflix researchers said. "On Linux kernels prior to 4.15, an attacker may be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection."

The third problem, CVE-2019-11479, allows an attacker to force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data.

"This drastically increases the bandwidth required to deliver the same amount of data. Further, it consumes additional resources (CPU and NIC processing power). This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic," said the researchers.

Two patches, PATCH_net_3_4.patch and PATCH_net_4_4.patch, add a sysctl that enforces a minimum MSS, set by the net.ipv4.tcp_min_snd_mss sysctl. This lets an administrator enforce a minimum MSS appropriate for their applications.

Lastly, CVE-2019-5599, causes SACK slowness in FreeBSD 12 if using the RACK TCP Stack.

"It is possible to send a crafted sequence of SACKs which will fragment the RACK send map," Netflix researchers said. "An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection."

Researchers said that good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) "can help to limit the impact of attacks against these kinds of vulnerabilities".

Jake Moore, cybersecurity specialist at ESET, told SC Media UK that simple procedures such as looking out for spear phishing attacks as standard will help whilst a patch is created for this vulnerability, but extra action can be taken like disabling any remote access to reduce the risk.

"Disabling remote controls will thwart attacks that are able to penetrate the systems. It may not be a gold  standard but it will help protect for now. A DDoS attack is possible at any time but the risk increases with this type of vulnerability whilst a patch sorted,"  he said.

Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center), told SC Media that the flaws highlights an important consideration when designing open source patch management strategies: the availability of source information.

"While media are actively promoting the existence of CVE-2019-11477, and major Linux distributions have released patches, the National Vulnerability Database currently has only a placeholder for this high impact vulnerability. This means that if your security information feed is primarily based on the NVD, and you aren’t an engaged customer of a major Linux distribution, then your awareness of the nature and scope of this issue is based on media coverage," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews