Netflix warns of several new TCP networking vulnerabilities

The vulnerabilities relate to the MSS and TCP SACK capabilities

Researchers at Netflix have discovered several new TCP networking vulnerabilities targeting the FreeBSD and Linux kernels.

In a public advisory notice, the researchers said these vulnerabilities 'relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities'.

The most serious vulnerability, called 'SACKPanic', enables attackers to remotely trigger kernel panic on new Linux kernels.

"A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic," said the researchers.

In a second vulnerability (SACK Slowness), attackers could send a crafted sequence of SACKS that interfere with the TCP retransmission queue.

Attackers targeting Linux kernels prior to 4.15 could leverage fragmented queues to "cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection".

The third vulnerability, also known as SACK Slowness (FreeBSD 12 using the RACK TCP Stack), lets attackers fragment the RACK send map in a similar way to the second flaw.

According to the researchers, attackers can also exploit the send map to "cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection"

Fourth is the "Excess Resource Consumption Due to Low MSS Values (all Linux versions)" flaw, which, according to the researchers, allows attackers to "force the Linux kernel to segment its responses into multiple TCP segments".

The end result is that bandwidth is "drastically" increased to "deliver the same amount of data", while also consuming CPU and NIC processing power. However, as the researchers explained, this requires continued effort from the attacker.

When it comes to mitigating these threats and limiting impact, the researchers said good configuration practices, and system and application coding, can help.

These include:

• Limiting write buffers to the necessary level
• Monitoring connection memory consumption via SO_MEMINFO
• Aggressively closing misbehaving connections

The researchers added: "There are patches that address most of these vulnerabilities. If patches cannot be applied, certain mitigations will be effective.

"We recommend that affected parties enact one of those described below, based on their environment."