SACK TCP flaws can crash, slow down Linux-based systems

An engineering manager at Netflix has unearthed several TCP networking vulnerabilities in Linux and FreeBSD kernels that could lead to systems crashing or consuming too many resources and (consequently) slowing down.

About the vulnerabilities

The flaws were discovered by Jonathan Looney, who apart from working at Netflix is also a FreeBSD developer.

They all affect the Selective Acknowledgments (SACK) TCP mechanism, which allows a receiving machine to acknowledge which data/packets it has received so that the sending machine will only resend the missing data segments. The mechanism is aimed at speeding up the transfer of data between computers.

TCP SACK is enabled by default in Linux but it can be turned off to prevent excessive resource and bandwidth consumption (and a possible DoS condition) or the over-saturation of low-bandwith connections.

The vulnerabilities are as follows:

• CVE-2019-11477, aka SACK Panic. Affects Linux kernel version 2.6.29 and all later ones. This one could lead to kernel panic and DoS.
• CVE-2019-11478, aka SACK Slowness or Excess Resource Usage. The latter can be triggered in all Linux versions, while the former just on Linux kernels prior to version 4.15
• CVE-2019-11479, aka Excess Resource Consumption Due to Low MSS Values. Affects all Linux kernel versions.
• CVE-2019-5599, aka SACK Slowness. Affects FreeBSD 12 using the RACK TCP Stack (not enabled by default).

All of these have mitigations, workarounds and patches, which can be reviewed here.

The RedHat, Debian and SuSE development teams have already pushed out kernel patches solving the issues or provided temporary workarounds. AWS has already updated or plans to update the Linux kernel in several of its solutions in order to plug the holes.

Other organizations are sure to follow them shortly, so if you’re running a Linux-based system, be on the lookout for patches.