[Vulnerability Warning] Linux kernel TCP SACK mechanism remote denial of service vulnerability


On June 18, 2019, Alibaba Cloud Emergency Response Center monitored a security research organization in a foreign country that revealed a flaw in the TCP SACK mechanism of the Linux kernel, which could lead to remote denial of service. The CVE numbers are CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479.

Vulnerability description
The Linux kernel 2.6.29 and later versions have defects in handling the TCP SACK mechanism, resulting in integer overflow vulnerabilities. An attacker can construct a specific SACK packet and remotely trigger a Linux server kernel module overflow vulnerability to implement a remote denial of service attack. This won't cause the machine to be hacked, however, the server will suddenly become unavailable, because the CPU/memory resources are blocked.

Vulnerability rating
CVE-2019-11477 High risk
CVE-2019-11478 Central danger
CVE-2019-11479 Central danger


Security fix suggestions
Note: Any of the following repair methods may cause the business to be unavailable.

First, disable the SACK mechanism function, execute the following command (currently this is the best way):
Echo 0 > /proc/sys/net/ipv4/tcp_sack
Sysctl -w net.ipv4.tcp_sack=0


Second, upgrade the Linux security patch (requires restart of the server)
Ubuntu series: apt-get update && sudo apt-get install linux-image-generic
Centos series: yum update kernel