[Security Warning] About LinuxTCP

recently The Linux kernel has been exposed to a TCP "SACK PANIC" remote denial of service vulnerability (Vulnerability numbers: CVE-2019-11477,CVE-2019-11478,CVE-2019-11479)An attacker can use this vulnerability to remotely attack a target server, causing a system crash or inability to provide service.

[Vulnerability Details]

Recently, a serious remote DoS vulnerability was discovered on Linux and FreeBSD and other system kernels. Attackers can use this vulnerability to construct and send specific SACK sequence requests to target servers, causing the server to crash or deny service.

[Risk Level]

high-risk

[Vulnerability Risk]

A specially constructed attack packet is sent remotely, causing the target Linux or FreeBSD server to crash or render the service unavailable.

[Affected Version]

Currently known affected versions are as follows:

FreeBSD 12 (using RACK TCP stack)
CentOS 5 (Redhat officially stops supporting it and no longer provides patches)
CentOS 6
CentOS 7
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 19.04
Ubuntu 18.10

[Safe Version]

Major Linux publishers have released kernel repair patches. The detailed kernel repair versions are as follows:

CentOS 6 ：2.6.32-754.15.3
CentOS 7 ：3.10.0-957.21.3
Ubuntu 18.04 LTS：4.15.0-52.56
Ubuntu 16.04 LTS：4.4.0-151.178

[Repair suggestions]

Please refer to the above [Security Version] to upgrade your Linux server kernel. The reference operations are as follows:

Recommended solution: [CentOS 6/7 Series Users]
1) yum clean all yum makeecache to update software sources;
2) yum update kernel -y to update the current kernel version;
3) reboot, which takes effect after the update;
4) uname -a, check whether the current version is the above-mentioned [safe version]. If it is, it means that the repair was successful.

Recommended solution: [Ubuntu 16.04/18.04 LTS series users]
1) sudo apt-get update sudo apt-get install linux-image-generic, update the software source and install the latest kernel version;
2) sudo reboot, which takes effect after the update;
3) uname -a, check whether the current version is a [Safe Version]. If it is, it means that the repair was successful.

Temporary mitigation plan: If it is inconvenient for users to restart and update the kernel patch, you can choose the following methods to disable the kernel SACK configuration to prevent vulnerability exploitation. Just run the following command:

1) echo net.ipv4.tcp_sack = 0/etc/sysctl.conf, disable SACK configuration;

2) sysctl -p, overload the configuration to make it take effect.