SECURITY
SECURITY
SECURITY
Patch now: Netflix engineer identifies serious security flaws in Linux and FreeBSD
An engineer at Netflix Inc. has discovered a number of previously unknown serious security flaws in Linux and FreeBSD that can leave servers vulnerable to denial of services attacks and other forms of attack.
Detailed Monday by Jonathan Looney of Netflix Information Security on GitHub, the most critical of the vulnerabilities discovered is known as SACK Panic. Found in Linux from versions 2.6.29 and higher, the vulnerability would allow an attacker to remotely induce kernel panic.
SACK, for Selective Acknowledgment, is a mechanism that allows a computer on the receiving end of a communication to apprise the sender of what segments have been successfully sent so that any lost ones can be resent, according to Ars Technica. In this case, an attacker can send specifically crafted code to a server running Linux and the vulnerability can cause it to crash as a result of what’s known as a kernel panic.
“In the worst-case scenario, a single hacker could exploit this vulnerability to bring down any corporate service that uses Linux,” David Atkinson, chief executive officer of Senseon, told CBR. “Until they are patched, millions of companies and products are vulnerable. This also increases the risk of a coordinated nation-state attack. There are at least 8 million public-facing services using Linux.”
The second and third vulnerabilities, dubbed SACK Slowness, covers Linux from versions 4.15 and up as well as FreeBSD 12 using the RACK TCP Stack. As the name suggests, an attacker can craft code that fragments a data queue, causing a targeted system to slow down.
The fourth vulnerability applies to all versions of Linux. While not coming with a catchy name, in this case “Excess Resource Consumption Due to Low MSS Values,” the vulnerability can allow an attacker to force the Linux kernel to segment its responses. That increases the bandwidth required to deliver the same amount of data while also consuming additional processing power.
Those running Linux or FreeBSD 12 are strongly encouraged to apply patches that address the vulnerabilities. Those patches are available on GitHub here.
Photo: Hadrien Sayf/Wikimedia Commons
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
