Notice on Fixing Linux Kernel SACK Vulnerabilities
Description
On June 18, 2019, Red Hat released a security notice, stating that three security vulnerabilities (CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479) were found on the TCP SACK module of the Linux kernel. These vulnerabilities are related to the maximum segment size (MSS) and TCP selective acknowledgment (SACK) packets. Remote attackers can exploit these vulnerabilities to trigger a denial of service (DoS), resulting in server unavailability or breakdown.
The Linux Kernel SACK vulnerabilities have been fixed for Huawei Cloud CCE using the following solution.
References:
https://www.suse.com/support/kb/doc/?id=7023928
https://access.redhat.com/security/vulnerabilities/tcpsack
https://www.debian.org/lts/security/2019/dla-1823
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic?
https://lists.centos.org/pipermail/centos-announce/2019-June/023332.html
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Type |
CVE-ID |
Severity |
Discovered |
Fixed by Huawei Cloud |
---|---|---|---|---|
Input validation flaw |
High |
2019-06-17 |
2019-07-06 |
|
Resource management flaw |
High |
2019-06-17 |
2019-07-06 |
|
Resource management flaw |
High |
2019-06-17 |
2019-07-06 |
Impact
Linux kernel version 2.6.29 and later
Solution
These issues have been resolved in stable kernel versions of 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11. You can upgrade the nodes in rolling mode.
Introduction to TCP SACKs
TCP is a connection-oriented protocol. When two parties wish to communicate over a TCP connection, they establish a connection by exchanging certain information such as requesting to initiate (SYN) a connection, initial sequence number, acknowledgement number, maximum segment size (MSS) to use over this connection, and permissions to send and process Selective Acknowledgments (SACKs). This connection establishment process is known as 3-way handshake.
TCP sends and receives user data by a unit called Segment. A TCP segment consists of TCP Header, Options and user data. Each TCP segment has a sequence number (SEQ) and an acknowledgement number (ACK).
These SEQ and ACK numbers are used to track which segments are successfully received by the receiver. An ACK number indicates the next segment expected by the receiver.
Example:
In this example, user A sends 1 KB data through 13 segments. Each segment has a header of 20 bytes and contains 100 bytes data in total. On the receiving end, user B receives segments 1, 2, 4, 6, and 8-13. Segments 3, 5, and 7 are lost.
By using ACK numbers, user B will indicate that it is expecting segment 3, which user A reads as none of the segments after 2 were received by user B. Then user A will retransmit all the segments from 3 onwards, even though segments 4, 6, and 8-13 were successfully received by user B. This leads to low performance due to repeated transmissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.