Tuesday, June 18, 2019

TCP SACK PANIC: Multiple TCP-based remote denial of service vulnerabilities

[UPDATE 2019-06-25]

- Bitnami has now released all the images with the new kernel available for all the supported platforms. These changes are being propagated across all the Marketplaces right now.


Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

They all are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. A malicious attacker can construct a specific sequence of TCP packets that can lead to a remotely-triggered kernel panic on recent Linux kernels.

The list of CVEs is as follows:

  • CVE-2019-11477: SACK Panic (Linux >= 2.6.29): A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
  • CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions): It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. 
  • CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack): It is possible to send a crafted sequence of SACKs which will fragment the RACK send map.
  • CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions): An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data.

You can find more information about these vulnerabilities in the official security announcement.

Bitnami is working on updating all affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. Once this update is complete, all new launches will be protected from these issues.

If you already have a running server (virtual machine) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own. If a patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution / operating system):

- Ubuntu / Debian

sudo apt-get update && sudo apt-get dist-upgrade 

- Oracle Linux, Red Hat, CentOS, and Amazon Linux

sudo yum update 

After completing the steps above, reboot your server to get the fixed version of the kernel / operating system. The versions of the package that fix these vulnerabilities are the following:

- Ubuntu 16.04: 4.4.0-151-generic
- Ubuntu 16.04 for Azure: 4.15.0-1047-azure
- Debian 9: 4.9.168-1+deb9u3
- Oracle Linux 7: 4.1.12-124.28.3.el7uek or 4.14.35-1902.2.0.el7uek
- Red Hat: 3.10.0-957.21.3.el7
- CentOS: 3.10.0-957.21.3.el7
- Amazon Linux: 4.14.123-86.109.amzn1

If you have any questions about this process, please post to the Bitnami community support forum. We will be happy to help!