SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477)

Netflix published an advisory to its GitHub repository for security bulletins on June 17 on their discovery of four Transmission Control Protocol (TCP) networking vulnerabilities in the Linux and FreeBSD kernels. The advisory highlights four separate vulnerabilities, each of which impacts either specific versions of the Linux and FreeBSD kernels or all Linux kernel versions. CVE-2019-11477, which they’ve called “SACK Panic” is a severe vulnerability that could result in “a remotely-triggered kernel panic on recent Linux kernels.” The remaining vulnerabilities they’ve identified are excess resource consumption or SACK slowness vulnerabilities, which could be exploited by a remote attacker to hinder system performance, eventually resulting in a denial of service (DoS).

For full details on this advisory, including patching and mitigation details, please visit our blog.