Linux and FreeBSD users have a SACK of new vulnerabilities to worry about, as four new CVEs describe selective acknowledgement (SACK) and excess resource consumption vulnerabilities that can bring a system to a standstill from a denial of service attack.
Three of the CVEs — CVE-2019-11477, CVE-2019-11478, and CVE-2019-5599 — deal with a variety of different SACKs that can hit various Linux distributions and FreeBSD 12 using the RACK TCP Stack. In each case, a carefully crafted selective acknowledgement can trigger an issue that could lead to slowed performance, denial of service, or a kernel panic.
The fourth CVE, CVE-2019-11479, describes a vulnerability stemming from a hard-coded maximum segment size (MSS) that can result in a higher number of fragmented packets than normal. This issue for all Linux versions could be exploited to cause increased resource consumption in the CPU and network controller, with system slowdown or denial of service as the result.
Because of the nature of the Linux and FreeBSD communities, vendors and open-source projects are in various stages of releasing patches for these vulnerabilities. Users should contact their system provider to see whether a patch is already available for the distribution in use.