Sad SACK: Linux PCs, servers, gadgets may be crashed by 'Ping of Death' network packets

Don't let miscreants play hacky-SACK with your gear. Apply these mitigations, patches now if you can

A sad young man from shutterstock
Ran-SACK'd, you've been SACK'd, back, SACK and cracked, kernel nut SACK ... The list goes on

It is possible to crash vulnerable network-facing Linux servers, PCs, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper vulnerable FreeBSD machines with the same attack.

Given that Linux powers an incredible amount of stuff these days, all sorts of gear from network or internet-connected TVs, routers, thermostats, light switches, CCTV cameras, and robot vacuum cleaners, to servers, PCs, smart fridges, phones and tablets, dialysis machines, car infotainment systems, tractors, construction equipment, and uranium centrifuges, and so on, can be potentially brought to a halt by miscreants – if vulnerable.

Crucially, in order to remotely crash or knacker your computer or gadget, a miscreant must be able to open a connection to the Linux-powered device: this is possible if the machine is running something like a web server, a SSH daemon, or some other TCP-based service. If your device is not listening on any TCP ports, it will be virtually impossible to exploit.

So, not great, not terrible; it's an annoyance that could disrupt websites and similar services on the internet if script kiddies start firing off waves of exploits at vulnerable machines.

Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.

SACK-religious

At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

There are three other related holes: SACK Slowness, aka CVE-2019-11478, which affects Linux kernels pre-4.15, and all versions to a degree; SACK Slowness, aka CVE-2019-5599, which affects FreeBSD 12 using the RACK TCP stack; and Excess Resource Consumption Due to Low MSS Values, aka CVE-2019-11479, which affects all Linux kernel versions.

They were discovered and reported by Netflix security's Jonathan Looney, and described in an advisory issued here in the past couple of hours.

They basically revolve around an enabled-by-default feature in Linux called TCP SACK. Designed to speed up the transfer of data between computers, SACK (or Selective ACKnowledgement) allows a receiving machine to more precisely tell the sender how much data it has received and what needs to be resent. Ideally this means less data needs to be re-transmitted, and both machines can therefore shift files and other information between themselves faster. Some admins disable the feature for various reasons, one being that it is not terribly well implemented by some operating systems.

With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary today.

Additionally, CVE-2019-5599 is a bug in the way FreeBSD handles SACK responses: it is possible to fragment an internal data structure that tracks SACKs, causing the kernel to walk long linked-lists, slowing down the system.

Thus far, Red Hat, Amazon Web Services, SUSE, and Grsecurity have all posted advisories or announced plans to soon post fixes for the flaws, with other vendors certain to follow suit in the coming hours and days.

Disabling SACK, for what it's worth, is a worthwhile workaround for now, but bear in mind it may impact your network throughput. ®

Sponsored: Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance




Biting the hand that feeds IT © 1998–2019