SPOT Report - SACK Vulnerabilities

By

Overview

An engineer at Netflix has identified four vulnerabilities in the Linux and FreeBSD operating systems that have been labeled SACK. This vulnerability relates to both the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK). This  attacks allow attackers to initiate a denial of service attack. If the attack is successful, the system slows down drastically and the vulnerability allows attackers to increase the amount of bandwidth needed to deliver data to the system while also increasing power consumption. This could lead to a malicious attacker remotely crashing servers and disrupting communications.

The Netflix team, specifically Jonathon Looney, released documentation, patches, and workarounds for each of the four vulnerabilities to assist impacted organizations and users ensuring full protection from the vulnerability.

Potential Impact

There are four specific vulnerabilities that could cause impact to the vulnerable systems. The first and most concerning vulnerability has been labeled “SACK Panic” (CVE-2019-11477), affecting Linux kernels newer than 2.6.29, which allows an attacker to invoke a kernel panic attack on the system causing a denial of service attack on the system.

The next two vulnerabilities have been given the label of “SACK Slowness” (CVE-2019-11478 and CVE-2019-5599) that allow an attacker to send a specifically crafted sequence of SACKs which will fragment TCP retransmission queue which then could further exploit the fragmented queue causing a drastic slowdown on the target system.  CVE-2019-11478 affects Linux kernels prior to 4.14.127 while CVE-2019-5599 affects FreeBSD operating systems.

The last vulnerability (CVE-2019-11479), affecting all Linux versions, could allow an attacker to cause a denial of service. The bug allows a remote peer to fragment TCP resend queues significantly more than if a larger maximum segment size (MSS) were enforced.

Mitigation

Red Hat has released the following Security Advisories:

A patch has also been released by Netflix on their GitHub, but it is in a raw state and will need to be manually implemented. Netflix also provides mitigations that can be found on their GitHub as well as below for each vulnerability:

  • CVE-2019-11477 and CVE-2019-11478-
    • Mitigation 1 – Block connections with a low MSS using one of the filters supplied by Netflix. Though this mitigation can block legitimate low MSS connections causing issues.
    • Mitigation 2 – Temporarily disable SACK without a reboot:
    • The first line is only necessary if you are using SELinux.
  • CVE-2019-5599 –
    • Mitigation 1 – Apply the patch split_limit.patch and set the  net.inet.tcp.rack.split_limit  sysctl to a reasonable value limit in order to restrict the size of the SACK table.
    • Mitigation 2 – Disable the RACK TCP table temporarily.
  • CVE-2019-11479 –
    • Mitigation 1 – Block connections with a low MSS using one of the filters supplied by Netflix. Though this mitigation can block legitimate low MSS connections causing issues.

Detection

Red Hat has released a detection script to determine if your system is currently vulnerable to the flaw.

While both Qualys and Tenable have released detections for these CVE’s, as a quick test, you can look for Linux systems that support SACK by running the following tcpdump command:
tcpdump -i eth0 -n 'ip[8]<65 and tcp[13]&0x2f=2'  | grep 'sackOK'

Or use the “ethtool” command to see if TCP offloading is enabled:
ethtool -k interface_name

For Tenable detections it is best to directly reference their website for all plugins available for the SACK vulnerabilities:

https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2019-11477%22%20OR%20%20%22CVE-2019-11478%22%20OR%20%20%22CVE-2019-11479%22%20OR%20%20%22CVE-2019-5599%22)&sort=&page=1

For Qualys, use QIDs 176983, 197497, 237292, 237293, 237295, 237296 237298, 172477, 172478, 172480, and 172481.

Managing Risk

You can temporarily disable SACK without a reboot:
setenforce 0
echo 0 >  /proc/sys/net/ipv4/tcp_sack

The first line is only necessary if you are using SELinux.

You can make this change permanent by adding the following to /ect/sysctl.conf:
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0

Run “sysclt -” to apply the changes without a reboot (you may need to disable SELinux)

You can block packets advertising a small maximum segment size at the firewall level in iptables:
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
Per RFC 879, TCP requires an MTU of at least 576, therefore a minimum MSS of 536.

Contributors

Sam Harris – Vulnerability Management Practice Lead
Kate Boucher, Vulnerability Management SME

Supporting Information

Subscribe to the deepwatch Insider Blog