Linux TCP SACK and PTP vulnerabilities

Linux PCs, Servers, Gadgets Can Be Crashed by ‘Ping of Death’ Network Packets writes that it is possible to crash and slow-down network-facing Linux servers, PCs, smartphones and tablets, and gadgets, by sending them a series of maliciously crafted packets.

Netflix has published a security paper with many details. There are four vulnerabilities, three of them for Linux and one for FreeBSD. The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.

The Register reports that patches and mitigations are available (can be applied by hand or you can wait for a security fix).

In the mean time a key workaround for Linux devices you administer is to set /proc/sys/net/ipv4/tcp_sack to 0, which disables the most vulnerable features on Linux.

According to Cisco advisory the proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is already publicly available. I have not seen that code yet but I would be intetested to test it against some devices.

Another networking vulnerability that has been on on security news headlines lately has has been related to quite recent incresingly popular network time protocol. It’s Surprisingly Easy to Hack the Precision Time Protocol article writes that when it comes to synchronizing large and important networks, every microsecond counts, and NTP is not always accurate enough. One of the most effective approach for this is called IEEE 1588-2008 or the Precision Time Protocol (PTP). A team of researchers from IBM and Marist College recently identified a remarkably simple but effective way to hack a PTP network: The researchers were able to infiltrate the network by “sniffing” out the ANNOUNCE and SYNC packets of the legitimate master clock. Next, they created a rogue master clock.


  1. Tomi Engdahl says:

    Check Point response to TCP SACK PANIC – Linux Kernel vulnerabilities – CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

  2. Tomi Engdahl says:

    Due to the low complexity and high severity of this vulnerability, it won’t be surprising to see large scale DDoS attacks in a few days. It is critical to update the Linux kernel as soon as possible. For the servers running in the public cloud with TCP services open to the internet, it is even more critical to patch immediately or at least set up firewall rules to block the attack.

  3. Tomi Engdahl says:

    Anyone seen those attacks on the wild?
    Few days ago I saw some strangely high load average (over 200) on one web server. Applying fix to this issue and some other fixes solved the issues – so I can’t say for sure if it was this or something else causing this.

  4. Tomi Engdahl says:

    Netflix isn’t the first name to come to mind when considering security research firms, but they make heavy use of FreeBSD in their content delivery system and do security research as a result. Their first security bulletin of the year, not surprisingly, covers a FreeBSD vulnerability that happens to also affect Linux kernels from the last 10 years. This vulnerability uses SACKs and odd MSS values to crash a server kernel.

    Netflix outlined several problems related to SACK , but the most serious vulnerability is triggered when an attacker makes a TCP connection to a Linux or FreeBSD server, and sets the MSS to the lowest possible value. After data is transferred, the attacker sends a sequence of SACK packets, requesting the re-transfer of specific multiple packets. This specially crafted series of packets causes the multiple fragmented messages to overflow the server’s outgoing buffer. It appears this attack cannot lead to code execution, but it does cause an immediate kernel panic, which essentially knocks the target machine offline.

    Patches fixing the problem have been released, but aren’t yet available for easy install on live systems.

    As a workaround, Netflix suggests either disabling SACK altogether, or filtering packets with very low MSS values.

  5. Tomi Engdahl says:


    Linux admins are being urged to check for and patch three TCP networking vulnerabilities discovered by Netflix researchers. While patches have been made available, testing patches against a full stack of software applications can sometimes be a lengthy process. Given the urgency and widespread nature of the vulnerabilities, SentinelOne has released a free tool that can quickly identify affected Linux systems and immediately protect against these new vulnerabilities.

  6. Tomi Engdahl says:

    SACK Panic & Slowness: KernelCare Live Patches Are Here

    Best Case Scenario: Slowdown

    All of the Linux-threatening vulnerabilities exploit the kernel’s TCP Selective Acknowledgement feature (hence “TCP SACK”). Two of the vulnerabilities – CVE–2019–11478, and CVE–2019–11479 – cause the TCP retransmission queue to become so fragmented that the kernel spends excessive resources managing that TCP connection’s SACK elements. While this isn’t disastrous, it could cause significant slowdown in the CPU.

    Worst Case Scenario: Disaster

    The third vulnerability – CVE–2019–11477 – has rightfully been dubbed “SACK Panic.” Affecting all kernels 2.6.29 and newer

    Like the slowness vulnerabilities, SACK Panic is particularly worrying because it can be remotely-triggered. Malicious actors can trigger a full-blown panic, which can utterly bork an OS, forcing the restart of a targeted host and causing a temporary shutdown in services.


Leave a Comment

Your email address will not be published. Required fields are marked *