Netflix developers have found several bugs in the Linux kernel and in FreeBSD that can crash or slow down a system by sending special network packets. The problems are in the TCP function Selective Acknowledgment (SACK).
The SACK feature improves the performance of TCP network connections in case of packet loss. When a TCP packet is fragmented and only a fraction of the segments arrive at the receiver, the sender can request a retransmission of individual segments. This avoids having to re-request the entire TCP packet.
Too many segments lead to kernel crash
The most critical of the gaps found makes it possible to paralyze the Linux kernel over the network. In the Linux kernel, segments are kept in a special buffer before being sent, but they only have space for 17 packets. This is usually sufficient, but with the help of SACK packets a situation can be constructed in which this buffer is full.
This triggers the BUG_ON function in the kernel, which is called when a situation that was not originally planned occurs. The result: The kernel crashes. However, an attacker can not do more. The function executes a safe crash, no memory is overwritten and no undefined states occur. Such gaps that can crash a system over the net are sometimes referred to as ping of death.
FreeBSD gap less bad
The other holes found by Netflix, including FreeBSD, do not crash, but they can severely slow down a system. They are therefore much less critical.
So far, there is no publicly available exploit to exploit the gaps. One should assume, however, that soon appear appropriate exploits and then used.
Linux users should upgrade their kernel packages and restart their systems as soon as possible. As a temporary solution, you can also disable SACK via the Proc interface, / proc / sys / net / ipv4 / tcp_sack must be set to 0 for this. Of course, this will cause connections to slow down on packet loss. Alternatively, it is also possible to filter the attacks, Netflix has provided corresponding filter rules.
The current stable version of Linux kernel 5.1.11 already contains the fixes for the found bugs. Also for many older kernel version branches corrected versions have been published. Red Hat explained more details about the vulnerabilities in a blog post.
There is no update for FreeBSD so far. However, the gap is much less critical because no crash has occurred yet.
The gap could become problematic for Android phones and for many IoT devices. Because here it is often the case that no updates are provided by the manufacturer.