This article was published on June 17, 2019

Netflix fixes potentially devastating Linux SACK vulnerability

Please mind the SACK


Netflix fixes potentially devastating Linux SACK vulnerability

Eagle-eyed researchers from streaming titan Netflix have uncovered several troubling security vulnerabilities within the TCP implementations on Linux and FreeBSD kernels. The most severe specimen, called SACK Panic, could permit an attacker to remotely induce a kernel panic within recent Linux operating systems.

A kernel panic is a kind of vulnerability where an operating system cannot easily recover – or, indeed, cannot recover at all. This could force a restart of a targeted host, causing a temporary shutdown in services.

Given Linux powers a variety of systems, from web servers to high-performance computing clusters, this is obviously really concerning.

In total, Netflix has found four separate vulnerabilities, each with their own distinct behaviors. They all pertain to the same part of the Linux and FreeBSD TCP implementation — the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK).

One issue highlighted by Netflix could see an attacker force the Linux kernel to transmit data as individual TCP segments, each containing a mere 8 bytes. As Netflix’s researchers point out, this can manifestly slow down any outbound traffic, as well as place increased pressure on the computer’s processor and network card.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Here’s the good news: the vulnerabilities are each patchable. In many cases, there are also workarounds, which are handy for those users who, for whatever reason, cannot make any drastic modifications.

Speaking to TNW, Javvad Malik, security awareness advocate at KnowBe4, explained that this issue was reminiscent of a family of security issues that emerged during the 1990’s.

“The Linux SACK vulnerabilities are reminiscent of the Ping of Death from the mid/late 90’s where a crafted IP packet could cause a system to freeze or reboot,” he explained.

“While the SACK vulnerabilities are significant, there are workarounds available. The easiest for most would be to apply the patches, but where this is not feasible, implement other recommendations such as disabling SACK processing. Ultimately, this is another round in the continual game of cat-and-mouse where vulnerabilities are discovered and patched in the life of a sysadmin. “

Boris Cipot, senior security engineer at Synopsys, added that the onus was now on sysadmins and engineers to implement these patches in the most expedient way possible.

“It is now crucial that patches are applied as cybercriminals will for sure start writing malware that searches and exploits the non-patched, vulnerable machines” he said. “We have seen many times that the most critical thing is the time between the public notification of a vulnerability and the applying of a fix. Most of the time, the cybercriminals are always a step ahead in the game as patching is not always done in a timely manner.”

TNW’s reached out to Netflix for comment. When we hear back from them, we’ll update this post. In the meantime, if you’d like to read more on how these vulnerabilities work, and how to remedy them, you can read about it on the disclosure website.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with