Red Hat reported yesterday that it identified three major vulnerabilities in the Linux Kernel. Three related faults, CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479, have been found in the management of the TCP network by the Linux Kernel.
The most serious of the three vulnerabilities could allow a remote attacker to cause a kernel failure on systems running an affected package and thus affect system stability.
Red Hat explained yesterday that three related flaws have been detected in the Linux Kernel's handling of SACK (TCP selective acknowledgment) packets with low MSS size.
The magnitude of the impact is assumed to be limited to denial of service for the time being. Currently no elevation of privilege or information leak is suspected for the three vulnerabilities.
About vulnerabilities
The company cited three vulnerabilities, CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479. CVE-2019-11477 which are considered significant severity, while CVE-2019-11478 and CVE-2019-11479 are considered moderate severity.
The first two vulnerabilities are related to Selective Recognition Packets (SACK) combined with the maximum segment size (MSS) and the third only relates to the maximum segment size (MSS).
Selective TCP handshake (SACK) is a mechanism by which the recipient of the data can inform the sender of all accepted segments.
This allows the sender to retransmit segments of the stream that are absent from its set of "known products." When TCP SACK is disabled, a much larger set of retransmissions is required to retransmit an entire sequence.
The maximum segment size (MSS) is a parameter defined in the TCP header of a packet that specifies the total amount of data contained in a reconstructed TCP segment.
Because packets can be fragmented during transmission on different routes, a host must specify the MSS as equal to the largest size payload of IP datagrams that a host can handle.
Very large MSS sizes can mean that a packet stream ends up being fragmented as it moves towards the destination, while smaller packets can guarantee less fragmentation but result in unused overhead.
The operating systems and transport types can use specified MSS sizes by default
The attackers with privileged access can create raw packages with MSS options specially designed for this attack.
Each TCP segment has a sequence number (SEQ) and a receipt number (ACK). These SEQ and ACK numbers are used to determine which segments have been successfully received by the receiver. The ACK number indicates the next segment expected by the recipient. Red Hat provided an example to understand this.
Affected distributions
Red Hat has a long list of products affected by these three vulnerabilities. The list of products mainly affected is as follows:
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- Red Hat Atomic Host
- Red Hat Enterprise MRG 2
- Red Hat OpenShift Container Platform 4 (RHEL CoreOS)
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated (and dependent services)
- OpenShift on Azure (ARO)
- Red Hat OpenStack Platform (Shipping Image Kernel)
- Red Hat Virtualization (RHV-H)
Secondary affected products:
- Red Hat Virtualization (RHV)
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform 3
According to the company, although kernel vulnerabilities do not directly affect Red Hat Linux containers, their security is based on the integrity of the host's kernel environment.
Red Hat recommends that you use the latest versions of your container images. The Container Health Index, which is part of the Red Hat Container Catalog, can still be used to determine the security state of Red Hat containers.
To protect the confidentiality of used containers, you must ensure that the container host (such as Red Hat Enterprise Linux, CoreOS, or Atomic host) has been updated for these attacks.
In the Linux kernel, issues are fixed in versions 4.4.182, 4.9.182, 4.14.127, 4.19.52 and 5.1.11