UPDATED 22:37 EST / JUNE 18 2019

SECURITY

Patch now: Netflix engineer identifies serious security flaws in Linux and FreeBSD

An engineer at Netflix Inc. has discovered a number of previously unknown serious security flaws in Linux and FreeBSD that can leave servers vulnerable to denial of services attacks and other forms of attack.

Detailed Monday by Jonathan Looney of Netflix Information Security on GitHub, the most critical of the vulnerabilities discovered is known as SACK Panic. Found in Linux from versions 2.6.29 and higher, the vulnerability would allow an attacker to remotely induce kernel panic.

SACK, for Selective Acknowledgment, is a mechanism that allows a computer on the receiving end of a communication to apprise the sender of what segments have been successfully sent so that any lost ones can be resent, according to Ars Technica. In this case, an attacker can send specifically crafted code to a server running Linux and the vulnerability can cause it to crash as a result of what’s known as a kernel panic.

“In the worst-case scenario, a single hacker could exploit this vulnerability to bring down any corporate service that uses Linux,” David Atkinson, chief executive officer of Senseon, told CBR. “Until they are patched, millions of companies and products are vulnerable. This also increases the risk of a coordinated nation-state attack. There are at least 8 million public-facing services using Linux.”

The second and third vulnerabilities, dubbed SACK Slowness, covers Linux from versions 4.15 and up as well as FreeBSD 12 using the RACK TCP Stack. As the name suggests, an attacker can craft code that fragments a data queue, causing a targeted system to slow down.

The fourth vulnerability applies to all versions of Linux. While not coming with a catchy name, in this case “Excess Resource Consumption Due to Low MSS Values,” the vulnerability can allow an attacker to force the Linux kernel to segment its responses. That increases the bandwidth required to deliver the same amount of data while also consuming additional processing power.

Those running Linux or FreeBSD 12 are strongly encouraged to apply patches that address the vulnerabilities. Those patches are available on GitHub here.

Photo: Hadrien Sayf/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU