Service Notices

All Notices > Security Notices > Security Warning on DoS Attacks Exploiting Linux Kernel SACK Vulnerabilities

Security Warning on DoS Attacks Exploiting Linux Kernel SACK Vulnerabilities

Jun 21, 2019 GMT+08:00

I. Overview

Recently, three vulnerabilities were discovered in the Linux kernel TCP SACK module: CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479. These vulnerabilities can be exploited by remote attackers to panic/crash the system or to cause high resource usage.

HUAWEI CLOUD hereby reminds tenants to implement system check and security hardening.

Reference links:

https://www.suse.com/support/kb/doc/?id=7023928

https://access.redhat.com/security/vulnerabilities/tcpsack

https://www.debian.org/lts/security/2019/dla-1823

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic?

https://lists.centos.org/pipermail/centos-announce/2019-June/023332.html

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Linux kernel version 2.6.29 or later

IV: Workarounds

·  Update the Linux security patch (restart is required after patching):

a)  SUSE/Redhat series: Download the patch package from the official website (official website: SUSE, Redhat).

b)  Ubuntu/Debian series: Run the apt-get update && apt-get install linux-image-generic command to update.

c) Centos series: Run the yum update kernel -y command to update.

·  Other workarounds:

a) Disable the kernel SACK configuration. (This may affect the TCP connection processing efficiency. Evaluate the impact on service availability before the operation.)

sysctl -w net.ipv4.tcp_sack=0

echo "net.ipv4.tcp_sack=0" >> /etc/sysctl.conf

b) Disable the low MSS connection through the firewall.

Run the following commands to disable the low MSS value in new connections through the firewall:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:48 -j DROP

# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:48 -j DROP

# firewall-cmd –reload

# firewall-cmd --permanent --direct --get-all-rules

If iptables is used as the firewall, the commands are as follows:

# iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:48 -j DROP

# ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:48 -j DROP

# iptables -nL –v

# ip6tables -nL –v

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.