Home Experience & Tips Sharing Standard Post

Standard Post

How to Fix the Linux TCP „SACK PANIC“ Remote Denial of Service Vulnerability on CentOS 7

Tencent Cloud announced that it detected a TCP „SACK PANIC“ remote denial of service vulnerability in the Linux kernel (vulnerability IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). Attackers can exploit this vulnerability to remotely attack target servers, causing system crashes or unavailability...

Updated on November 1, 2019 About 3 minutes reading
CentOS7如何修复Linux TCP “SACK PANIC” 远程拒绝服务漏洞

Tencent Cloud issued an announcement stating thatThe Linux kernel has been exposed to a TCP „SACK PANIC“ remote denial of service vulnerability (vulnerability IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). Attackers can exploit this vulnerability to remotely attack target servers, causing system crashes or service unavailability.

Affected Systems

Currently known affected versions are as follows:
FreeBSD 12 (using RACK TCP stack)
CentOS 5 (Red Hat official support has ended, no patches provided)
CentOS 6
CentOS 7
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 19.04
Ubuntu 18.10

Secure Versions

Major Linux distributions have released kernel patches. The detailed kernel fix versions are as follows:
CentOS 6: 2.6.32-754.15.3
CentOS 7: 3.10.0-957.21.3
Ubuntu 18.04 LTS: 4.15.0-52.56
Ubuntu 16.04 LTS: 4.4.0-151.178
FreeBSD: The FreeBSD image officially provided by Tencent Cloud is not affected by this vulnerability by default, so feel free to use it.

So for the security of your website, upgrade the server kernel as soon as possible. Naiba uses CentOS 7. The method to fix this "SACK PANIC" remote denial of service vulnerability is as follows:

Fix Method for CentOS 6/7

1) yum clean all && yum makecache, update the software source;
2) yum update kernel -y, update the current kernel version;
3) reboot, restart the system after update to take effect;
4) uname -a, check if the current version is the [secure version] above. If so, the fix is successful.

Fix Method for Ubuntu 16.04/18.04 LTS

1) sudo apt-get update && sudo apt-get install linux-image-generic, update the software source and install the new kernel version;
2) sudo reboot, restart the system after update to take effect;
3) uname -a, check if the current version is the [secure version]. If so, the fix is successful.

Temporary Mitigation Method

If users cannot reboot to apply the kernel patch, they can disable the kernel SACK configuration to prevent vulnerability exploitation (may affect network performance). Run the following commands:
1) echo net.ipv4.tcp_sack = 0 >> /etc/sysctl.conf, disable SACK configuration;
2) sysctl -p, reload configuration to take effect.

Method to Upgrade to the New Kernel Version and Enable BBR

Because Naiba had already upgraded to kernel 5.1.4 and enabled BBR, the method provided by Tencent Cloud to upgrade to kernel 3.10.0-957.21.3 is clearly not suitable.

Then I checked the vulnerability release date was June 17, and the new kernel version for CentOS 7 is 5.1.12, updated on 2019-06-19, so this vulnerability should have been patched. Just upgrade the kernel to 5.1.12 and enable BBR again.

For detailed tutorial, refer to the previous article:Tutorial for Installing the New Kernel and BBR Acceleration for WordPress on CentOS 7

Rate this article post
Previous Method to Block Fake Baidu Spider Crawling on the Server Continue reading content around the same timeline. Next Solution for WordPress Reporting 503 Error and Website Not Opening View the next related tutorial or experience.

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation: