New Stable Kernel Series Releases 4.4.182, 4.9.182, 4.14.127, 4.19.52 and 5.1.11 Fixes Serious TCP Networking Vulnerabilities
This time there is actually a good reason to upgrade to one of these new releases of the stable kernel branches which were released just two days after the previous round of stable kernels: They fix three different TCP-based denial of service vulnerabilities which were identified by Netflix. And that's all there is in the patchsets for these new kernels. *BSD users should also pay attention, one of the vulnerabilities Netflix identified affects them.
The entire log for 4.4.182, 4.9.182, 4.14.127 and 5.1.11 since 4.14.126, 4.19.51 and 5.1.10 were released just two days ago is as follows:
- tcp: limit payload size of sacked skbs
- tcp: tcp_fragment() should apply sane memory limits
- tcp: add tcp_min_snd_mss sysctl
- tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
These four patches address three different rather serious problems related to TCP handling in the kernel's network stack:
- CVE-2019-11477: "A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic."
- CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
- CVE-2019-11479 :Excess Resource Consumption Due to Low MSS Values
The above problems are problems specific to the Linux Kernel. Netflix also identified a problem which only affects FreeBSD (and perhaps other *BSD):
CVE-2019-5599: SACK Slowness
CVE-2019-11477 is the most serious of these vulnerabilities. Sending a specially crafted sequence of SACK packets can lead to a integer overflow in the Linux kernel which in turn causes a kernel panic. You do not want a kernel panic on your publicly facing high-value production service.
It is possible to prevent CVE-2019-11477 without upgrading the kernel by disabling selective acknowledgments (SACK) with
echo 0 > /proc/sys/net/ipv4/tcp_sack - no SACK support, no problem. SACK improves performance in the rare cases where multiple packets are lost. There is no other negative consequence to turning it off. You can read more about what selective packet acknowledgments are in rfc2018.
CVE-2019-11478 and CVE-2019-11479 are not that serious. They allows an attacker to fragment the TCP retransmission queue into multiple small segments and they can end up as small as 8 bytes. This is of course bad and it makes the target machine waste a lot of bandwidth sending tiny packets. However, it is only a problem as long as the attacker keeps attacking. CVE-2019-11477 is, in contrast, much worse since it can cause the system to be knocked off the Internet.
Greg Kroah-Hartman has been attaching a message saying "All users of the 5.1 kernel series must upgrade" every single kernel release for quite some time. When pressed he admitted that it's just a boiler-plate message which means nothing. This time there is actually a reason to upgrade if you are running any kind of publicly facing machine. (These vulnerabilities are not a problem if you are hiding behind seven firewalls).
New kernels are, as always, available from https://www.kernel.org/ and they will likely be in your favorite distributions repositories shortly.
published 2019-06-18 - last edited 2019-06-28