Netflix Finds Bug That Creates Linux Kernel Panic

There's a bit of bad news and good news on the Linux security front. The bad news is that four new security vulnerabilities have been found in Linux and FreeBSD, one of them creating a Linux kernel panic. The good news is that the bugs are easily patched, and until patches are applied, workarounds are available.

Security bugs in Linux are typically discovered by researchers at security firms hoping to publicly prove their moxy. This time, however, the announcement comes from Netflix's engineering manager, Jonathan Looney. Evidently the streaming service wants to make sure that nothing stops its customers from binge watching the latest season of "Designated Survivor."

According to a post by Netflix on GitHub, these are all TCP networking vulnerabilities in FreeBSD and Linux kernels, centering around minimum segment size and TCP Selective Acknowledgement capabilities. None of the vulnerabilities appear to put data at risk.

The worst of these exploits, CVE-2019-11477 or "SACK Panic," is an integer overflow vulnerability that affects all Linux kernels since 2.6.29, or all versions of Linux released since March, 2009. As the name suggests, here attackers could use a sequence of SACKs to create a Linux kernel panic, which would necessitate a reboot for recovery. 

Another bug, CVE-2019-11478, actually covers two related exploits. "Excess Resource Usage" affects all versions of Linux and makes it possible for attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. "SACK Slowness," which affects kernel versions released prior to 4.15, takes advantage of the same exploit to further exploit the fragmented queue to cause a linked-list walk for subsequent SACKs received for the same TCP connection.

A similar exploit, CVE-2019-5599 and also called "SACK Slowness," affects FreeBSD 12 using the RACK TCP Stack.

The final bug, CVE-2019-11479, or "Excess Resource Consumption Due to Low MSS Values," affects all Linux versions. By taking advantage of it, an attacker can force the Linux kernel to segment its responses into multiple 8 byte TCP segments, drastically increasing the bandwidth required to deliver the same amount of data while also consuming additional CPU and NIC processing power.

The good news for the latter is that this attack requires continued effort from the attacker and its impact ends shortly after the attacker stops sending traffic.

Fixes for these issues are already being merged into the kernel and should appear in a kernel point release soon. Workarounds are available on Netflix's GitHub advisory page.