SACK panic

Netflix has identified several TCP networking vulnerabilities in most common Linux (and FreeBSD) and kernels. This flaw could allow a remote attacker to crash or severely slow down a system.  No proof of concept yet exists, as far as we know, but that is most likely just a matter of time. More detailed information is in the links below, here are just some quick fixes and workarounds.

The vulnerabilities are knows by the following codes:
CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
CVE-2019-5599

To test if SACK is enabled, use

 cat /proc/sys/net/ipv4/tcp_sack

Return value 1 indicates the SACK is enabled.

Solution

Kernel updates are available for most popular distributions. Installation can be as easy as:

sudo apt-get update kernel

for Debian and Ubuntu,  or

sudo yum update kernel

for RedHat and CentOS. A reboot will be necessary to activate the update.

Workaround

Although selective acknowledgements make ethernet communication more efficient, most systems will work just as fine without.

On systems that use SELinux, start by disabling it temporarily:

sudo setenforce 0

To disable SACK, create a file /etc/sysctl.d/sack_off.conf with the following code:

net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0

and activate the settings using:

sudo sysctl -p /etc/sysctl.d/sack_off.conf

The setting files in /etc/sysctl.d are read at boot time, so the settings are permanent.

Easier

With the settings above in a file, the workaround boils down to the following commands:

sudo setenforce 0
sudo curl https://www.diades.nl/sack_off.conf -o /etc/sysctl.d/sack_off.conf
sudo sysctl -p /etc/sysctl.d/sack_off.conf

 

Links