Recently, TCP networking vulnerabilities have been discovered in FreeBSD and Linux kernels by Netflix.

There are three flaws, one of them is rated by severity as Important (CVE-2019-11477), and two as Moderate (CVE-2019-11478 and CVE-2019-11479).

What is the problem?

The flaws use the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most dangerous—TCP SACK PANIC allows a remote attacker to trigger kernel panic on Linux kernels. You can find the detail description here.

When the CloudLinux OS 6 & 7 kernels will be patched?

We are going to release patches with the fix for TCP SACK PANIC vulnerabilities for CloudLinux OS 6 & 7 to Beta tomorrow, to Stable upcoming Monday.

How to mitigate?

Red Hat specialists propose two mitigation options for CVE-2019-11477 and CVE-2019-11478 flaws: ”disable the vulnerable component, or use iptables to drop connections with an MSS size”. You can find the details here (Resolve tab, Mitigation section).