Recientemente released the news about the identification of several critical vulnerabilities in Linux TCP stacks and FreeBSD that allows an attacker to remotely initiate a kernel failure or cause excessive resource consumption by processing specially crafted TCP packets (packet of death).
The problems are caused by errors in the handlers of the maximum size of the data block in the TCP packet (MSS, Maximum segment size) and the mechanism for selective connection recognition (SACK, Selective TCP recognition).
What is a selective recognition?
Selective TCP Recognition (SACK) it is a mechanism where the data receiver can inform the sender about all the segments that have been accepted successfully.
Esto Allows the sender to retransmit the missing stream segments from his 'well known' set. When TCP SACK is disabled, a much larger set of retransmissions is required to retransmit an entire sequence.
In the Linux kernel, the problems are fixed in versions 4.4.182, 4.9.182, 4.14.127, 4.19.52 and 5.1.11. The solution for FreeBSD is available as a patch.
Kernel package updates are released for Debian, RHEL, SUSE / openSUSE, ALT, Ubuntu, Fedora, and Arch Linux.
CVE-2019-11477 (SACK Panic)
The problem manifests itself in Linux kernels as of 2.6.29 and allows you to crash the kernel (panic) when sending a series of SACK packets due to an integer overflow in the controller.
For an attack, it is sufficient to set the MSS value to 48 bytes for a TCP connection and sending a sequence of arranged SACK packets in a certain way.
The essence of the problem is that the structure tcp_skb_cb (Socket Buffer) is designed to store 17 fragments ("Define MAX_SKB_FRAGS (65536 / PAGE_SIZE + 1) => 17").
In the process of sending a packet, it is placed in the send queue and tcp_skb_cb stores details about the packet, such as the sequence number, the flags, as well as the "tcp_gso_segs" and "tcp_gso_size" fields, which are used to send segmentation information to the controller (TSO, Segment Segment Download) to process segments on the network card side.
Chunks are saved when packet loss or the need for selective packet retransmission occurs, if SACK is enabled and TSO is supported by the driver.
As a workaround for protection, you can disable SACK processing or block connections with a small MSS (only works when you set sysctl net.ipv4.tcp_mtu_probing to 0 and may break some normal with low MSS).
CVE-2019-11478 (SACK Slowness)
This failure causes an interruption of the SACK mechanism (when using Linux kernel in 4.15) or excessive resource consumption.
The problem manifests itself when processing specially crafted SACK packets that can be used to fragment the retransmission queue (TCP retransmission). The solutions for protection are similar to the previous vulnerabilities
CVE-2019-5599 (SACK Slowness)
Allows to cause fragmentation of the packet map sent when processing a SACK sequence within a single TCP connection and cause a resource-intensive list lookup operation to run.
The problem manifests itself in FreeBSD 12 with the RACK packet loss detection mechanism. As a workaround you can disable the RACK module (it is not loaded by default, it is disabled by specifying sysctl net.inet.tcp.functions_default = freebsd)
CVE-2019-11479
The flaw allows an attacker to make the Linux kernel divide responses into multiple TCP segments, each of which includes only 8 bytes of data, which can lead to a significant increase in traffic, increased CPU load, and a clogged communication channel.
In addition, it consumes additional resources (processor power and network card).
This attack requires continuous efforts by the attacker and the hits will end shortly after the attacker stops sending traffic.
While this attack is in progress, the system will run at reduced capacity, causing a denial of service for some users.
A remote user can trigger this problem by setting the maximum segment size (MSS) of a TCP connection at its lowest limit (48 bytes) and sending a sequence of specially crafted SACK packets.
As a workaround, it is recommended to block connections with low MSS.