Linux Kernel Multiple Remote Denial-of-Service Vulnerabilities Threat Alert Linux Kernel Multiple Remote Denial-of-Service Vulnerabilities Threat Alert June 25, 2019 | NSFOCUS Overview Recently, Red Hat released a security bulletin, pointing out multiple TCP-based remote denial-of-service vulnerabilities in the Linux kernel, namely, a SACK Panic vulnerability of important severity and two other vulnerabilities of moderate severity. Reference: https://access.redhat.com/security/vulnerabilities/tcpsack Vulnerability Overview CVE-2019-11477 SACK Panic CVE-2019-11477 is an integer overflow vulnerability called SACK Panic, which can be triggered by a remote attacker by sending a sequence of Selected Acknowledgement (SACK) TCP packets to a vulnerable system, possibly leading to a system crash. Successful exploitation of this vulnerability will cause denial-of-service (DoS) conditions to affected systems. Affected versions: Linux kernel >= 2.6.29 Stable kernel versions that have fixed this vulnerability: Linux kernel 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11 Solutions: Use the detection script given in the following link to check whether your current system is vulnerable: https://access.redhat.com/security/vulnerabilities/tcpsack Apply patches: PATCH_net_1_4.patch fixes the vulnerability in Linux kernel >= 2.6.29 and can be found in the following link: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_1_4.patch Linux kernel >= 4.14 needs a second patch, PATCH_net_1a.patch: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_1a.patch Alternatively, disable SACK by setting /proc/sys/net/ipv4/tcp_sack to 0 . For more mitigations, please visit: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md CVE-2019-11478 SACK Slowness or Excess Resource Usage CVE-2019-11478 is an excess resource usage vulnerability, which can be triggered by a remote attacker by sending a sequence of SACK TCP packets, leading to fragmentation of the TCP retransmission queue. Besides, on a Linux kernel before 4.15, an attacker can further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for the same TCP connection, adding to the fragmentation. That is why this vulnerability is called “SACK slowness”. Successful exploitation of this vulnerability will have a significant impact on the system performance and may cause a denial of service. Affected versions: SACK slowness affects Linux kernel earlier than 4.15 Excess resource usage affects all version of the Linux kernel Stable kernel versions that have fixed this vulnerability: Linux kernel 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11 Solutions: Apply PATCH_net_2_4.patch: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_2_4.patch Alternatively, disable SACK by setting /proc/sys/net/ipv4/tcp_sack to 0 . For more mitigations, please visit: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md CVE-2019-11479 CVE-2019-11479 is an excess resource usage vulnerability, which can be triggered by a remote attacker by setting a low value for the Maximum Segment Size (MSS) to cause a vulnerable system to utilize excessive bandwidths and resources. Successful exploitation of this vulnerability will cause an affected system to run with the maximum resource usage, thus degrading the system performance. Affected versions: All versions of the Linux kernel Stable kernel versions that have fixed this vulnerability: Linux kernel 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11 Solutions: Apply PATCH_net_3_4.patch ( https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_3_4.patch ) and PATCH_net_4_4.patch ( https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/PATCH_net_4_4.patch ). For more mitigations, please visit: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://helpx.adobe.com/security/products/acrobat/apsb18-09.html Statement This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS. About NSFOCUS NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Jap