Alexa metrics
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

TCP SACK PANIC: Linux Kernel Vulnerability

2 July 2019 by Charlotte Greene

UKFast techThree related flaws have been found in the Linux kernel’s handling of TCP networking.  Let’s take a look at what this means and what you can do about it.

What is the vulnerability?

The flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets, handling with low Maximum Segment Size (MSS).

The issues have been assigned multiple CVEs: CVE-2019-11477 is considered an Important severity, whereas CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity.

The most severe vulnerability could allow a remote attacker to trigger a SACK PANIC in systems running the affected software. This causes a huge drop in network efficiency and, as a result, impacts the system’s availability.

To dive deep into the tech behind this vulnerability, you can check out Red Hat’s article. But for now, how can you mitigate the risk this poses to your network?

What can you do about it?

These issues are corrected either through applying kernel patches. Patches have been issued to the mainline kernel for this and have been backported by vendors such as Red Hat.

A package update to the latest available kernel version for your distribution should be actioned. Kernel version for latest RHEL/CentOS along with Debian based systems are as follows.

RHEL/CentOS

  • RHEL/CentOS 7 (latest): kernel-3.10.0-957.21.3.el7.x86_64
  • RHEL/CentOS 6 (latest): kernel-2.6.32-754.15.3.el6.x86_64

Debian

Ubuntu versions:

What you need to check before doing the updates

Kernel updates are unlikely to cause major issues. But it’s advisable to ensure that only dependencies of the kernel package are being updated and avoid other installed packages being updated in the process.

To view current loaded kernel version: uname –r

To query all installed kernel versions:

RHEL/Centos: rpm –q kernel

Debian/Ubuntu: dpkg –list | grep linux-image

The process of doing the updates

  1. RHEL/Centos: yum update kernel  OR Debian/Ubuntu: apt-get upgrade linux-image-generic
  2. Action reboot to load the new kernel. This can be issued immediately as: shutdown –r now  OR scheduled as below (providing the at package has been installed):[root@hostname ~]# at 1am
    at> shutdown -r now
    at>  Ctrl+d
    job 2 at Date Time Year
  3. Between the time of the kernel being patched and the reboot, the following command can disable at runtime to mitigate in the interim: sysctl -w net.ipv4.tcp_sack=0

To validate the patch

To validate that the patch has been applied, the same uname –r command can be used to check the current loaded kernel. For RHEL/CentOS systems the below is also an option:

[root@mx ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477–2019-06-17-1629.sh

–2019-06-27 12:27:02–  https://access.redhat.com/sites/default/files/cve-2019-11477–2019-06-17-1629.sh

[root@mx ~]# chmod 700 cve-2019-11477–2019-06-17-1629.sh

[root@mx ~]# ./cve-2019-11477–2019-06-17-1629.sh

This will then output as below once patched:

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported Red Hat Enterprise Linux systems and kernel packages. The result may be inaccurate for other RPM based systems.

If you’re running kernel: 3.10.0-957.21.3.el7.x86_64, this system is NOT affected.

With the most qualified Linux team in the UK, our technical support is unrivaled! Explore what makes our Linux dedicated server hosting a cut above the rest.

EXPLORE OUR LINUX SERVERS