View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
June 18, 2019updated 19 Jun 2019 1:01am

Netflix Identifies Critical Vulns in Linux Kernel: Eight Million Public Services Affected

Over eight million public-facing services are using Linux...

By CBR Staff Writer

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The most serious Linux vulnerability – dubbed SACK Panic,” – would allow a malicious attacker to crash Linux-based systems remotely using specially crafted traffic. AWS, Ubuntu and Red Hat are among those to have issued urgent advisories.

Ubuntu Linux kernels for all major cloud environments are among those affected (i.e. linux-aws; linux-gcp; linux-azure; linux-oracle). The attack can be triggered by certain TCP Selective Acknowledgment (SACK) sequences, Netflix’s Jonathan Looney explained in a post late Monday, proposing workarounds, including disabling SACK processing.

An attack is possible as soon as remote attackers can open TCP connections to a host, regardless of the actual underlying service. Netflix reported four vulnerabilities in total; CVE-2019-11477 being the most critical as a “ping of death”; others cause high resource usage: CVE-2019-11478CVE-2019-5599CVE-2019-11479.

linux vulnerabilityLinux Vulnerability: Eight Million Public Services at Risk?

David Atkinson, CEO of UK-based cybersecurity company Senseon said in an emailed comment: “Linux is used by 40 percent of the world’s websites. It is embedded in thousands of devices, from Internet routers to IoT products, and it is a key component to most corporate infrastructure. This means it is difficult to know where it is enabled.”

While there is a patch, it could take weeks or months for companies to find every potential vulnerability and patch it. Embedded systems may not even get upgraded due to the perceived inconvenience of patching, something particularly true for IoT devices.

“In the worst case scenario, a single hacker could exploit this known vulnerability to bring down any corporate service that uses Linux. Until they are patched, millions of companies and products are vulnerable. This also increases the risk of a coordinated nation-state attack. There are at least eight million public-facing services using Linux. Companies should urgently issuing emergency patches on these systems to prevent disruption and be using threat detection to spot any attack or malicious activity.”

Linux Vulnerability: AWS Advisory

The world’s largest public cloud provider, AWS noted in an advisory: “Customer EC2 Linux-based instances either initiating or directly receiving TCP connections to or from untrusted parties, e.g. the Internet, require operating system patches to mitigate any potential DoS concerns of these issues…  Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no other action required.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“All currently-running Amazon EKS clusters are protected against these issues”

Patching looks set to be a headache for admins: As Canonical, one of the quickest to push out a patch (for Ubuntu) notes, “Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.