TCP SACK PANIC: New remote attack vector on the Linux kernel

Netflix staff have discovered some security issues in the Linux kernel network stack that are suitable for denial-of-service attacks. These vulnerabilities are also relevant to IoT applications.

Netflix IT specialists found four security holes in the network stack of the Linux and FreeBSD kernel. A void of this (CVE-2019-11477, "SACK Panic") is also considered problematic for IoT applications, as it may, under certain circumstances, be used to remotely attack remote IoT devices by remote access a kernel panic is provoked.
When we trigger a kernel panic, the operating system may go into a state where it is no longer executable. The affected device in which the Linux is located can then no longer perform its tasks and thus denies its service - a so-called Denial of Service (DoS).

The CVE-2019-11477 hole, which is included in the Linux kernel from version 2.6.29 upwards, is considered by RedHat to be "important". Affected systems should be patched at short notice.
The other three holes - CVE-2019-11478, CVE-2019-11479, and CVE-2019-5599 can be used by attackers to consume disproportionate system resources of the devices. This is considered less dramatic for IoT devices unless they are also used for control tasks. Under certain conditions, they could also be used for DoS attacks. All four gaps are related to the "Selective Acknowledgment" mechanism (SACK) for TCP connections, or to the "Maximum Segment Size" (MSS) of TCP connections.


Netflix IT specialists have already released some patches on the described vulnerabilities, which have already been implemented by the major Linux distributions. For IoT devices, however, the patches must be implemented and distributed by the manufacturers of the firmware itself.

The upcoming updates for ELFIN's products will be marked as 'Security Update'. If you carry out the maintenance of the ELFIN IoT devices yourself, please update the firmware as soon as possible.

Related Links

An overview of the four gaps along with information on the affected kernel versions is provided by an advisory published by Netflix.

RedHat has published a detailed explanation of the purpose of SACK and MSS in connection with the current issues.