Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The most serious Linux vulnerability – dubbed “SACK Panic,” – would allow a malicious attacker to crash Linux-based systems remotely using specially crafted traffic. AWS, Ubuntu and Red Hat are among those to have issued urgent advisories.
Ubuntu Linux kernels for all major cloud environments are among those affected (i.e. linux-aws; linux-gcp; linux-azure; linux-oracle). The attack can be triggered by certain TCP Selective Acknowledgment (SACK) sequences, Netflix’s Jonathan Looney explained in a post late Monday, proposing workarounds, including disabling SACK processing.
An attack is possible as soon as remote attackers can open TCP connections to a host, regardless of the actual underlying service. Netflix reported four vulnerabilities in total; CVE-2019-11477 being the most critical as a “ping of death”; others cause high resource usage: CVE-2019-11478; CVE-2019-5599: CVE-2019-11479.
Linux Vulnerability: Eight Million Public Services at Risk?
David Atkinson, CEO of UK-based cybersecurity company Senseon said in an emailed comment: “Linux is used by 40 percent of the world’s websites. It is embedded in thousands of devices, from Internet routers to IoT products, and it is a key component to most corporate infrastructure. This means it is difficult to know where it is enabled.”
While there is a patch, it could take weeks or months for companies to find every potential vulnerability and patch it. Embedded systems may not even get upgraded due to the perceived inconvenience of patching, something particularly true for IoT devices.
“In the worst case scenario, a single hacker could exploit this known vulnerability to bring down any corporate service that uses Linux. Until they are patched, millions of companies and products are vulnerable. This also increases the risk of a coordinated nation-state attack. There are at least eight million public-facing services using Linux. Companies should urgently issuing emergency patches on these systems to prevent disruption and be using threat detection to spot any attack or malicious activity.”
The world’s largest public cloud provider, AWS noted in an advisory: “Customer EC2 Linux-based instances either initiating or directly receiving TCP connections to or from untrusted parties, e.g. the Internet, require operating system patches to mitigate any potential DoS concerns of these issues… Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no other action required.
“All currently-running Amazon EKS clusters are protected against these issues”
Patching looks set to be a headache for admins: As Canonical, one of the quickest to push out a patch (for Ubuntu) notes, “Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.”