Recently, Tencent Cloud Security Center monitored that the Linux kernel was exposed to have a TCP "SACK PANIC" remote denial of service vulnerability (vulnerability number: CVE-2019-11477, CVE-2019-11478,CVE-2019-11479), An attacker can use this vulnerability to remotely attack the target server, causing the system to crash or fail to provide services. In order to avoid the impact on your business, Tencent Cloud Security Center recommends that you carry out security self inspection in a timely manner. If you are in the affected area, please update and repair it in a timely manner to avoid being invaded by external attackers.
[Vulnerability Details]
Recently, the intelligence platform of Tencent Cloud Security Center monitored that Jonathan Looney, a researcher of Netflix Information Security Team, found a serious remote DoS vulnerability in Linux, FreeBSD and other system kernels. An attacker could use this vulnerability to construct and send a specific SACK sequence request to the target server, leading to server crash or denial of service.
[Risk level]
high-risk
[Vulnerability risk]
Send a specially constructed attack packet remotely, causing the target Linux or FreeBSD server to crash or the service to be unavailable.
Affected Version
At present, the known affected versions are as follows:
FreeBSD 12 (using RACK TCP protocol stack)
CentOS 5 (Redhat official support has stopped and no patch is available)
CentOS 6
CentOS 7
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 19.04
Ubuntu 18.10
[Security Version]
Major Linux distributors have released kernel repair patches. The detailed kernel repair versions are as follows:
CentOS 6 :2.6.32-754.15.3
CentOS 7 :3.10.0-957.21.3
Ubuntu 18.04 LTS:4.15.0-52.56
Ubuntu 16.04 LTS:4.4.0-151.178
FreeBSD: The FreeBSD image provided by Tencent Cloud is not affected by this vulnerability by default, so please rest assured.
Solution:
Note: The following two repair methods may cause unavailability impact on business;
Please refer to the above [Security Version] to upgrade your Linux server kernel. The reference operations are as follows:
Recommended scheme: [CentOS 6/7 Series Users]
1) yum clean all && yum makecache , update the software source;
2) yum update kernel -y , update the current kernel version;
3) reboot , restart the system to take effect after the update;
4) uname -a , check whether the current version is the above [Safe Version], and if it is, the repair is successful.
Recommended solution: [Ubuntu 16.04/18.04 LTS Series Users]
1) sudo apt-get update && sudo apt-get install linux-image-generic , update the software source and install the latest kernel version;
2) sudo reboot , restart the system to take effect after the update;
3) uname -a , check whether the current version is [Safe Version], and if it is, the repair is successful.
Temporary mitigation scheme: If it is not convenient for users to restart and update the kernel patch, you can select the following method to disable the kernel SACK configuration to prevent vulnerability exploitation (which may have a certain impact on network performance), and run the following command:
1) echo 'net.ipv4.tcp_sack = 0' >> /etc/sysctl.conf , disable SACK configuration;
2) sysctl -p , reload the configuration to make it effective.
The server on this site was repaired and restarted at 23:13:01, June 27, 2019
[Vulnerability Reference]
1) Official notice: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
2) Community Reference: https://www.openwall.com/lists/oss-security/2019/06/17/5
3) Red Hat Announcement: https://access.redhat.com/security/vulnerabilities/tcpsack