Best Case Scenario: Slowdown

All of the Linux-threatening vulnerabilities exploit the kernel’s TCP Selective Acknowledgement feature (hence “TCP SACK”). Two of the vulnerabilities – CVE–2019–11478, and CVE–2019–11479 – cause the TCP retransmission queue to become so fragmented that the kernel spends excessive resources managing that TCP connection’s SACK elements. While this isn’t disastrous, it could cause significant slowdown in the CPU.

Worst Case Scenario: Disaster

The third vulnerability – CVE–2019–11477 – has rightfully been dubbed “SACK Panic.” Affecting all kernels 2.6.29 and newer

Like the slowness vulnerabilities, SACK Panic is particularly worrying because it can be remotely-triggered. Malicious actors can trigger a full-blown panic, which can utterly bork an OS, forcing the restart of a targeted host and causing a temporary shutdown in services.

Linux admins are being urged to check for and patch three TCP networking vulnerabilities discovered by Netflix researchers. While patches have been made available, testing patches against a full stack of software applications can sometimes be a lengthy process. Given the urgency and widespread nature of the vulnerabilities, SentinelOne has released a free tool that can quickly identify affected Linux systems and immediately protect against these new vulnerabilities.

Netflix isn’t the first name to come to mind when considering security research firms, but they make heavy use of FreeBSD in their content delivery system and do security research as a result. Their first security bulletin of the year, not surprisingly, covers a FreeBSD vulnerability that happens to also affect Linux kernels from the last 10 years. This vulnerability uses SACKs and odd MSS values to crash a server kernel.

Netflix outlined several problems related to SACK , but the most serious vulnerability is triggered when an attacker makes a TCP connection to a Linux or FreeBSD server, and sets the MSS to the lowest possible value. After data is transferred, the attacker sends a sequence of SACK packets, requesting the re-transfer of specific multiple packets. This specially crafted series of packets causes the multiple fragmented messages to overflow the server’s outgoing buffer. It appears this attack cannot lead to code execution, but it does cause an immediate kernel panic, which essentially knocks the target machine offline.

Patches fixing the problem have been released, but aren’t yet available for easy install on live systems.

As a workaround, Netflix suggests either disabling SACK altogether, or filtering packets with very low MSS values.

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Conclusion
Due to the low complexity and high severity of this vulnerability, it won’t be surprising to see large scale DDoS attacks in a few days. It is critical to update the Linux kernel as soon as possible. For the servers running in the public cloud with TCP services open to the internet, it is even more critical to patch immediately or at least set up firewall rules to block the attack.