How to Fix the Linux TCP „SACK PANIC“ Remote Denial of Service Vulnerability on CentOS 7

Tencent Cloud issued an announcement stating thatThe Linux kernel has been exposed to a TCP „SACK PANIC“ remote denial of service vulnerability (vulnerability IDs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). Attackers can exploit this vulnerability to remotely attack target servers, causing system crashes or service unavailability.

Affected Systems

Currently known affected versions are as follows: FreeBSD 12 (using the RACK TCP protocol stack) CentOS 5 (Red Hat official support has ended, no patches provided) CentOS 6 CentOS 7 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 19.04 Ubuntu 18.10

Secure Versions

Major Linux distribution vendors have released kernel patches. The detailed fixed kernel versions are as follows: CentOS 6: 2.6.32-754.15.3 CentOS 7: 3.10.0-957.21.3 Ubuntu 18.04 LTS: 4.15.0-52.56 Ubuntu 16.04 LTS: 4.4.0-151.178 FreeBSD: The FreeBSD images provided by Tencent Cloud are not affected by this vulnerability by default, so you can use them with confidence. Therefore, for website security, quickly upgrade your server kernel. Naiba uses CentOS 7. The method to fix this "SACK PANIC" remote denial of service vulnerability is as follows:

Fix Method for CentOS 6/7

1) yum clean all && yum makecache, to update the software repository; 2) yum update kernel -y, to update the current kernel version; 3) reboot, restart the system after updating to take effect; 4) uname -a, check if the current version matches the aforementioned [Secure Versions]. If yes, the fix is successful.

Fix Method for Ubuntu 16.04/18.04 LTS

1) sudo apt-get update && sudo apt-get install linux-image-generic, to update the software repository and install the new kernel version; 2) sudo reboot, restart the system after updating to take effect; 3) uname -a, check if the current version matches the [Secure Versions]. If yes, the fix is successful.

Temporary Mitigation Method

If users cannot conveniently restart for kernel patch updates, they can choose the following method to disable the kernel SACK configuration to prevent vulnerability exploitation (may have some impact on network performance). Run the following commands: 1) echo net.ipv4.tcp_sack = 0 >> /etc/sysctl.conf, disable SACK configuration; 2) sysctl -p, reload the configuration to take effect.

Method to Upgrade to the New Kernel Version and Enable BBR

Because Naiba had already upgraded to kernel 5.1.4 and enabled BBR, the method provided by Tencent Cloud to upgrade to kernel 3.10.0-957.21.3 is clearly not suitable. Then, looking at the vulnerability release date of June 17th, and the new CentOS 7 kernel version 5.1.12 with an update date of 2019-06-19, it should have already patched this vulnerability. Simply upgrade the kernel to 5.1.12 and then enable BBR again. For the specific tutorial, refer to the previous article:Tutorial for Installing the New Kernel and BBR Acceleration for WordPress on CentOS 7