Three related flaws have been found in the Linux kernel’s handling of TCP networking. Let’s take a look at what this means and what you can do about it.
The flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets, handling with low Maximum Segment Size (MSS).
The issues have been assigned multiple CVEs: CVE-2019-11477 is considered an Important severity, whereas CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity.
The most severe vulnerability could allow a remote attacker to trigger a SACK PANIC in systems running the affected software. This causes a huge drop in network efficiency and, as a result, impacts the system’s availability.
To dive deep into the tech behind this vulnerability, you can check out Red Hat’s article. But for now, how can you mitigate the risk this poses to your network?
These issues are corrected either through applying kernel patches. Patches have been issued to the mainline kernel for this and have been backported by vendors such as Red Hat.
A package update to the latest available kernel version for your distribution should be actioned. Kernel version for latest RHEL/CentOS along with Debian based systems are as follows.
Kernel updates are unlikely to cause major issues. But it’s advisable to ensure that only dependencies of the kernel package are being updated and avoid other installed packages being updated in the process.
To view current loaded kernel version: uname –r
To query all installed kernel versions:
RHEL/Centos: rpm –q kernel
Debian/Ubuntu: dpkg –list | grep linux-image
To validate that the patch has been applied, the same uname –r command can be used to check the current loaded kernel. For RHEL/CentOS systems the below is also an option:
[root@mx ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477–2019-06-17-1629.sh
–2019-06-27 12:27:02– https://access.redhat.com/sites/default/files/cve-2019-11477–2019-06-17-1629.sh
[root@mx ~]# chmod 700 cve-2019-11477–2019-06-17-1629.sh
[root@mx ~]# ./cve-2019-11477–2019-06-17-1629.sh
This will then output as below once patched:
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported Red Hat Enterprise Linux systems and kernel packages. The result may be inaccurate for other RPM based systems.
If you’re running kernel: 3.10.0-957.21.3.el7.x86_64, this system is NOT affected.
With the most qualified Linux team in the UK, our technical support is unrivaled! Explore what makes our Linux dedicated server hosting a cut above the rest.