[Vulnerability Warning] Linux Kernel TCP SACK mechanism remotely denies service vulnerability

2019-06-18 23:13:48
Dear user

On June 18, 2019, JD Cloud Security Team detected that it was revealed that the Kernel TCP SACK mechanism of Linux contained defects, making remote service rejected.

[Vulnerability Description]

Attackers can remotely send an attack package of special structure, making target Linux or FreeBSD server crashed or service unavailable.

[Vulnerability Rating]

CVE-2019-11477 High Risk

CVE-2019-11478 Moderate Risk

CVE-2019-11479 Moderate Risk

[Affected Version]

FreeBSD 12 (Using RACK TCP Protocol Stack)

CentOS 5 (Official support of Redhat is stopped and no patches will be provided anymore)

CentOS 6

CentOS 7

Ubuntu 18.04 LTS

Ubuntu 16.04 LTS

Ubuntu 19.04

Ubuntu 18.10

[Safety Version]

CentOS 6 :2.6.32-754.15.3

CentOS 7 :3.10.0-957.21.3

Ubuntu 18.04 LTS :4.15.0-52.56

Ubuntu 16.04 LTS:4.4.0-151.178

[Security Fix Recommendation]

Note: Business may be unavailable due to any one of the following repair methods

I. Disable SACK mechanism functions and execute following commands:

echo 0 > /proc/sys/net/ipv4/tcp_sack


sysctl -w net.ipv4.tcp_sack=0

II. Upgrade Linux security patch (need to reboot servers)

Ubuntu series: apt-get update && sudo apt-get install linux-image-generic

Centos series: yum update kernel

For other Linux patches, please refer to: https: //github.com/Netflix/security-bulletins/tree/master/advisories/third-party/2019-001

[Relevant Links]


RedHat system users can detect whether there is any vulnerability with scripts: https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

JD Cloud Team

JD Cloud team

2019-06-18 23:13:48