What's new

Linux PCs, Servers, Gadgets Can Be Crashed by 'Ping of Death' Network Packets

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

microchip

Very Senior Member
The Register reports that it is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack. Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0. At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/
 
AFAIK, most routers are vulnerable to this. I already passed on the info to NETGEAR and they opened a security bulletin for it. No idea if/when they'll fix it and how (kernel patch or iptables rules)
 
No, it's a kernel issue. You can send it specially crafted packets and it'll crash
 
No, it's a kernel issue. You can send it specially crafted packets and it'll crash
Correct... any correctly formed frame will crash the kernels..
 
https://isc.sans.edu/forums/diary/What+You+Need+To+Know+About+TCP+SACK+Panic/25046/

My Asus RT-AC68U has sack enabled and tcpdump confirms some of the points in the SANS diary linked above. What do you guys think about the vulnerability for a router? No proofs-of-concept yet, but eye-opening none-the-less. I saw the SANS article first, then came here once I searched for SACK.
Well...
You are vulnerable if you are using a current Linux system, have selective acknowledgments enabled (a common default) and are using a network card with TCP Segment Offload (again, a common default in modern servers).
Code:
admin@RT-AC68U:/# ethtool -k eth0 | grep tcp-segmentation-offload
tcp-segmentation-offload: off
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top