How to Fix the Linux TCP „SACK PANIC“ Remote Denial of Service Vulnerability in CentOS7

Tencent Cloud issued an announcement stating that it detectedLinux kernel exposed to TCP „SACK PANIC“ remote denial-of-service vulnerability (Vulnerability IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). Attackers can exploit this vulnerability to remotely attack target servers, causing system crashes or service unavailability.

Affected Systems

Currently known affected versions are as follows: FreeBSD 12 (using the RACK TCP protocol stack) CentOS 5 (Redhat official support has ended, no patches provided) CentOS 6 CentOS 7 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 19.04 Ubuntu 18.10

Secure Version

Major Linux distribution vendors have released kernel patches. Detailed fixed kernel versions are as follows: CentOS 6: 2.6.32-754.15.3 CentOS 7: 3.10.0-957.21.3 Ubuntu 18.04 LTS: 4.15.0-52.56 Ubuntu 16.04 LTS: 4.4.0-151.178 FreeBSD: The FreeBSD images provided by Tencent Cloud are not affected by this vulnerability by default, please use them with confidence. Therefore, for website security, upgrade your server kernel promptly. Naiba uses CentOS 7. The method to fix this "SACK PANIC" remote denial-of-service vulnerability is as follows:

CentOS 6/7 Fix Method

1) yum clean all && yum makecache, to update the software repository; 2) yum update kernel -y, to update the current kernel version; 3) reboot, restart the system after updating for changes to take effect; 4) uname -a, check if the current version is the aforementioned [secure version]. If yes, the fix is successful.

Ubuntu 16.04/18.04 LTS Fix Method

1) sudo apt-get update && sudo apt-get install linux-image-generic, to update the software repository and install the new kernel version; 2) sudo reboot, restart the system after updating for changes to take effect; 3) uname -a, check if the current version is the [secure version]. If yes, the fix is successful.

Temporary Mitigation Method

If users cannot conveniently restart for kernel patch updates, they can choose the following method to disable the kernel SACK configuration to prevent vulnerability exploitation (may have some impact on network performance). Run the following commands: 1) echo net.ipv4.tcp_sack = 0 >> /etc/sysctl.conf, disable SACK configuration; 2) sysctl -p, reload the configuration to make it effective.

Method to upgrade to the new kernel version and enable BBR

Because Naiba had already upgraded to kernel 5.1.4 and enabled BBR, the method provided by Tencent Cloud to upgrade to kernel 3.10.0-957.21.3 is clearly not suitable. Then, looking at the vulnerability release date of June 17th, and the new CentOS 7 kernel version is 5.1.12, updated on 2019-06-19, so it should have already patched this vulnerability. Simply upgrade the kernel to 5.1.12 and then enable BBR again. For the specific tutorial, refer to the previous article:Tutorial: Installing the New Kernel and BBR Acceleration for WordPress on CentOS7