
Tencent Cloud issued an announcement stating thatThe Linux kernel has been exposed to a TCP „SACK PANIC“ remote denial of service vulnerability (vulnerability IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). Attackers can exploit this vulnerability to remotely attack target servers, causing system crashes or service unavailability.
Affected Systems
Currently known affected versions are as follows:
FreeBSD 12 (using RACK TCP stack)
CentOS 5 (Red Hat official support has ended, no patches provided)
CentOS 6
CentOS 7
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 19.04
Ubuntu 18.10
Secure Versions
Major Linux distributions have released kernel patches. The detailed kernel fix versions are as follows:
CentOS 6: 2.6.32-754.15.3
CentOS 7: 3.10.0-957.21.3
Ubuntu 18.04 LTS: 4.15.0-52.56
Ubuntu 16.04 LTS: 4.4.0-151.178
FreeBSD: The FreeBSD image officially provided by Tencent Cloud is not affected by this vulnerability by default, so feel free to use it.
So for the security of your website, upgrade the server kernel as soon as possible. Naiba uses CentOS 7. The method to fix this "SACK PANIC" remote denial of service vulnerability is as follows:
Fix Method for CentOS 6/7
1) yum clean all && yum makecache, update the software source;
2) yum update kernel -y, update the current kernel version;
3) reboot, restart the system after update to take effect;
4) uname -a, check if the current version is the [secure version] above. If so, the fix is successful.
Fix Method for Ubuntu 16.04/18.04 LTS
1) sudo apt-get update && sudo apt-get install linux-image-generic, update the software source and install the new kernel version;
2) sudo reboot, restart the system after update to take effect;
3) uname -a, check if the current version is the [secure version]. If so, the fix is successful.
Temporary Mitigation Method
If users cannot reboot to apply the kernel patch, they can disable the kernel SACK configuration to prevent vulnerability exploitation (may affect network performance). Run the following commands:
1) echo net.ipv4.tcp_sack = 0 >> /etc/sysctl.conf, disable SACK configuration;
2) sysctl -p, reload configuration to take effect.
Method to Upgrade to the New Kernel Version and Enable BBR
Because Naiba had already upgraded to kernel 5.1.4 and enabled BBR, the method provided by Tencent Cloud to upgrade to kernel 3.10.0-957.21.3 is clearly not suitable.
Then I checked the vulnerability release date was June 17, and the new kernel version for CentOS 7 is 5.1.12, updated on 2019-06-19, so this vulnerability should have been patched. Just upgrade the kernel to 5.1.12 and enable BBR again.
For detailed tutorial, refer to the previous article:Tutorial for Installing the New Kernel and BBR Acceleration for WordPress on CentOS 7