Linux Kernel Vulnerabilities Affecting The Selective ACK Component

On June 18th 2019 at 7pm CEST, 4 vulnerabilities have been disclosed affecting the TCP stack of the Linux kernel. These vulnerabilities relies on an integer overflow in the Linux kernel which can lead to a kernel panic on one hand, and on an algorithmic complexity in the SACK implementation leading to CPU resource exhaustion on the other hand. In both cases, the impact is limited to the service availability.

Who is vulnerable ?

  • All Linux Oses running a kernel 2.6.29 and above (from March 2009)
  • FreeBSD 12 using the RACK TCP stack. Note that fortunately, this is not the default stack, you can run the following commande to state whether your system is using « RACK » implementation or not :
    # sysctl net.inet.tcp.cc.algorithm
  • If you expose a TCP service on the Internet (web service, ssh, rcp, …), your system is potentially affected since the attack only needs the TCP link to be established to succeed.
  • If your service is behind a firewall, or iptables/pfsense is setup to open the service only to trusted IPs, you are safe.

How to fix ?

There are 3 different ways, you only need to pick ONE of them.

1. Update your kernel

The major Linux distros have already released the fix :

  • Linux version 4.4.182 or above
  • Linux version 4.9.182 or above
  • Linux version 4.14.127 or above
  • Linux version 4.19.52 or above
  • Linux version 5.1.11 or above.
  • Note that Linux version 3.16 branch has not been announced as being patched yet. (2019-06-18)

By the way, have a look at you distro’s website (Ubuntu, RedHat, SuSE, …) for more details, as your vendor might have backported the patch on its own kernel version.

2. Firewall mitigation

The attack is based on a small MSS option which is very unusual in standard network communication. Consequently, you can drop all packets with a small MSS option in order to prevent your system from the attack. For instance, the iptables rules may look like :

# iptables -I INPUT -p tcp –tcp-flags SYN SYN -m tcpmss -mss 1:500 -j DROP -m comment –comment "Drop small MSS packets to prevent TCP SACK attacks. (ipv4)"
# ip6tables -I INPUT -p tcp –tcp-flags SYN SYN -m tcpmss -mss 1:500 -j DROP -m comment –comment "Drop small MSS packets to prevent TCP SACK attacks. (ipv6)"

3. Disable SACK (not recommended)

Since the root cause of the vulnerability is an issue in the SACK handling, you also can disable SACK in your kernel. Keep in mind that SACK is an optimization of the TCP protocol in order to improve the performance of packet acknowledgement. Disabling this featuer may have a huge impact on your performance and we don’t recommend this mitigation.

Is the exploit public ?

As far as we know (2019-06-18), no public exploit are public yet but this is probably a matter of hours/days.

Short Technical Explanations

CVE-2019-11477

An integer overflow on a 16-bits counter (tcp_skb_pcount) may occur in the kernel which conducts to a BUG_ON (not strictly a panic, but will leave your system in an unstable – potentially unusable – state).

By decreasing the MSS option to a small value, an attacker can force your system to send a lot of packets to a malicious remote IP under his control. The SACK feature will allow the remote malicious IP to ACK only few packets among all that have been sent.

Your kernel will keep a list of the non-acknowledged packets which increments a 16-bits counter (tcp_skb_pcount) which overflows at some point and triggers a comparison error resulting in a BUG_ON.

CVE-2019-11478

Using the same previous scenario, an attacker could fragment the Linux kernel’s Socket Buffer (SKB) by acknowledging only a few packets. The data structure is then fragmented which decreases the performance and can conduct the kernel to consume more CPU.

CVE-2019-11479

By decreasing the MSS option to the smallest acceptable value (48 bytes), an attacker could slow down (freeze) the system. Since only 8 bytes remain for user data, the server may have difficulties to reply to requests sent by the attacker which may conduct to an abnormal CPU consumption by the kernel.

Identification numbers

These vulnerabilities are referenced by the Common Vulnerabilities and Exposures as follow :

  • CVE-2019-11477 : SACK Panic (Linux >= 2.6.29) | CVSS : 8.2
  • CVE-2019-11478 : SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux version) | CVSS : 5.3
  • CVE-2019-11479 :Excess Resource Consumption Due to Low MSS Values (all Linux versions) | CVSS : 7.5
  • CVE-2019-5599 : SACK Slowness (FreeBSD 12 using the RACK TCP Stack) | Low severity

External References

+ posts