Nutanix release latest security advisory regarding critical TCP SACK Selective ACKnowledgements (SACKs) Panic vulnerability to linux system discovered several TCP networking vulnerabilities in FreeBSD and Linux kernels.
These vulnerabilities relate to minimum segment size (MSS) and TCP Selective Acknowledgement (SACK). The more critical of the three vulnerabilities, also known as SACK Panic, can allow for a remotely triggered kernel panic in Linux kernels.
Information on Vulnerabilities
Three vulnerabilities, outlined below, make up this collective advisory with CVE-2019-11477 (SACK Panic) being the most critical. Definition of two terms will help clarify the issue.
MSS – Maximum Segment Size
The maximum segment size is a parameter set in the TCP header of a packet that specifies the total data contained within a TCP segment. This information is necessary in situations where packets become fragmented as they are transmitted across different routes. This parameter informs the receiving host how large the TCP segment size, which is necessary in order to adequately reassemble the packet in the event of fragmentation.
During TCP communication, Sequence Numbers (SEQ) and Acknowledgement Numbers (ACK)are used by the client and server to determine which segments have been sent to the client, and which segments the client acknowledges were received. The absence of an ACK for a particular segment during communication would trigger the server to re-transmit all segments after the last received segment number.In order to make this process more efficient Selective Acknowledgement (SACK) was devised as part of RFC-2018.
This vulnerability relies on a flaw within the Linux kernel where the MSS of a connection is set to its lowest limit of 48 bytes, which only leaves 8 bytes of data per segment. In this scenario, a specially crafted SACK can trigger a denial of service by way of a kernel panic by way of overflowing the tcp_gso_segs parameter in the kernel’s Socket Buffers (SKB).
This vulnerability relies on a resource consumption flaw in the Linux kernel Socket Buffer (SKB) around TCP Selective Acknowledgment (SACK) segments. Specially crafted SACK segments can be sent causing the SKB to become fragmented. This fragmentation leads to increased resource utilization due to the processing of these fragments. As additional SACK segments come in,further fragmentation occurs, eventually resulting in a Denial of Service.
CVE-2019-11479 – Excessive Resource Consumption due to Low MSS Values
This vulnerability relies on setting the MSS of a TCP connection to its lowest value, 48 bytes,which leaves only 8 bytes for actual data on the segment. This low amount of data in the segment results in increased CPU and Memory utilization on the host due to the larger number of segments that must be created to complete the transfer of data. This can result in a Denial of Service (DDos) attack by repeatedly sending the server requests with the minimum MSS size of 48 bytes.
Nutanix Affected Products
|Fix Release version
|AHV, AOS, Prism Central, Files, Move, X-ray and Era
|Latest Version will be released soon in July 2019 | Nutanix is working on it.
Mitigations are possible to these attacks, but at this time we do not recommend implementing these mitigations until proper validation has taken place. If this validation is successful.
Nutanix strongly recommended to update them as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.
This kind of TCP SACK panic overflow vulnerability is very critical for Linux based Operating systems and could be compromise by remote hackers.
So, Install vulnerability fixed patch immediately as soon as possible on patch available by your product vendor.
Thanks to being with Hyper Hci Blog.
Nutanix Vulnerability Related Post
- Nutanix Security Advisory Intel CPU Vulnerability MDS
- Nutanix API Authentication Vulnerability April 2019
- Nutanix CVM Kernel Panic Issue