Recently, TCP networking vulnerabilities have been discovered in FreeBSD and Linux kernels by Netflix.
What is the problem?
The flaws use the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most dangerous—TCP SACK PANIC allows a remote attacker to trigger kernel panic on Linux kernels. You can find the detail description here.
When the CloudLinux OS 6 & 7 kernels will be patched?
We are going to release patches with the fix for TCP SACK PANIC vulnerabilities for CloudLinux OS 6 & 7 to Beta tomorrow, to Stable upcoming Monday.
How to mitigate?
Red Hat specialists propose two mitigation options for CVE-2019-11477 and CVE-2019-11478 flaws: ”disable the vulnerable component, or use iptables to drop connections with an MSS size”. You can find the details here (Resolve tab, Mitigation section).
- TCP SACK PANIC—Kernel vulnerabilities: CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479
- Netflix security-bulletins