A denial of service flaw found in the way recent Linux and FreeBSD kernels handle TCP networking can be exploited by remote attackers to trigger a kernel panic in vulnerable systems.
In all, Netflix Information Security's Jonathan Looney found three Linux vulnerabilities, two related to "the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities," and one related only to MSS, with the most serious one named SACK Panic being the one that can cause affected systems to panic and reboot.
Patches are available and if companies don’t want to patch there are workarounds.
Can we look to see if we can implement these mitigations or fixes in the not too distant future if no one is available I'll jump on it this weekend to see if I can get three PR's in for these fixes.
liskl
commented
5 years ago
A denial of service flaw found in the way recent Linux and FreeBSD kernels handle TCP networking can be exploited by remote attackers to trigger a kernel panic in vulnerable systems.
In all, Netflix Information Security's Jonathan Looney found three Linux vulnerabilities, two related to "the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities," and one related only to MSS, with the most serious one named SACK Panic being the one that can cause affected systems to panic and reboot.
High severity: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
Moderate severity: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
The SACK Panic vulnerability (Debian, Red Hat, Ubuntu, Suse, AWS) impacts Linux kernels 2.6.29 and later
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
Patches are available and if companies don’t want to patch there are workarounds.
Can we look to see if we can implement these mitigations or fixes in the not too distant future if no one is available I'll jump on it this weekend to see if I can get three PR's in for these fixes.