Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on Fixing Linux Kernel SACK Vulnerabilities
Updated on 2023-08-02 GMT+08:00

Notice on Fixing Linux Kernel SACK Vulnerabilities

Description

On June 18, 2019, Red Hat released a security notice, stating that three security vulnerabilities (CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479) were found on the TCP SACK module of the Linux kernel. These vulnerabilities are related to the maximum segment size (MSS) and TCP selective acknowledgment (SACK) packets. Remote attackers can exploit these vulnerabilities to trigger a denial of service (DoS), resulting in server unavailability or breakdown.

The Linux Kernel SACK vulnerabilities have been fixed for Huawei Cloud CCE using the following solution.

References:

https://www.suse.com/support/kb/doc/?id=7023928

https://access.redhat.com/security/vulnerabilities/tcpsack

https://www.debian.org/lts/security/2019/dla-1823

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic?

https://lists.centos.org/pipermail/centos-announce/2019-June/023332.html

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Fixed by Huawei Cloud

Input validation flaw

CVE-2019-11477

High

2019-06-17

2019-07-06

Resource management flaw

CVE-2019-11478

High

2019-06-17

2019-07-06

Resource management flaw

CVE-2019-11479

High

2019-06-17

2019-07-06

Impact

Linux kernel version 2.6.29 and later

Solution

These issues have been resolved in stable kernel versions of 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11. You can upgrade the nodes in rolling mode.

Introduction to TCP SACKs

TCP is a connection-oriented protocol. When two parties wish to communicate over a TCP connection, they establish a connection by exchanging certain information such as requesting to initiate (SYN) a connection, initial sequence number, acknowledgement number, maximum segment size (MSS) to use over this connection, and permissions to send and process Selective Acknowledgments (SACKs). This connection establishment process is known as 3-way handshake.

TCP sends and receives user data by a unit called Segment. A TCP segment consists of TCP Header, Options and user data. Each TCP segment has a sequence number (SEQ) and an acknowledgement number (ACK).

These SEQ and ACK numbers are used to track which segments are successfully received by the receiver. An ACK number indicates the next segment expected by the receiver.

Example:

In this example, user A sends 1 KB data through 13 segments. Each segment has a header of 20 bytes and contains 100 bytes data in total. On the receiving end, user B receives segments 1, 2, 4, 6, and 8-13. Segments 3, 5, and 7 are lost.

By using ACK numbers, user B will indicate that it is expecting segment 3, which user A reads as none of the segments after 2 were received by user B. Then user A will retransmit all the segments from 3 onwards, even though segments 4, 6, and 8-13 were successfully received by user B. This leads to low performance due to repeated transmissions.