Yesterday, Netflix issued an advisory identifying several TCP networking vulnerabilities in FreeBSD and Linux kernels. While patches are already available for the identified vulnerabilities, Linux is the most popular system on the Internet. This means that the issue will remain widespread and dangerous until every single company has applied patches.
https://twitter.com/zackwhittaker/status/1140725252781236226
Linux SACK Panic and Other TCP Denial of Service Issues
CVE-2019-11477, CVE-2019-11478, CVE-2019-11479https://t.co/qAde0bGB34https://t.co/xf1Epdg0SIworkaround:
$ sudo sysctl -w net.ipv4.tcp_sack=0
$ sudo iptables -A INPUT -p tcp -m tcpmss –mss 1:500 -j DROP— Levente Polyak | @anthraxx@chaos.social (@anthraxx42) June 17, 2019
Expert Comments:
David Atkinson, CEO at Senseon:
“While it is Netflix that identified these flaws, the issue is much, much bigger than one company or service. Linux is used by 40 percent of the world’s websites. It is embedded in thousands of devices, from Internet routers to IoT products, and it is a key component to most corporate infrastructure. In short, Linux is everywhere.
“This means it is also difficult to know where it is enabled. While there is a patch, it could take weeks or months for companies to find every potential vulnerability and patch it. Embedded systems may not even get upgraded due to the perceived inconvenience of patching, something particularly true for IoT devices.
“In the worst case scenario, a single hacker could exploit this known vulnerability to bring down any corporate service that uses Linux. Until they are patched, millions of companies and products are vulnerable. This also increases the risk of a coordinated nation-state attack.
“While a malicious attack has not yet been reported, it is only a matter of time. There are at least eight million public-facing services using Linux. Companies should urgently issuing emergency patches on these systems to prevent disruption and be using threat detection to spot any attack or malicious activity on their system quickly.”
Boris Cipot, Senior Security Engineer at Synopsys:
“The good thing is that the vulnerability was found and the patches are available. It is now crucial that patches are applied as cyber criminals will for sure start writing malware that searches and exploits the non-patched, vulnerable machines. We have seen many times that the most critical thing is the time between the public notification of a vulnerability and the applying of a fix. Most of the time the cyber criminals are always a step ahead in the game, as patching is not always done in a timely manner. Let’s hope that this will not be the case here. Patching is needed to keep your systems running securely and avoiding breaches or fall outs. Even if patching takes time and requires money, think of what a downtime to your systems is worth in reverse.”
Jake Moore, Cyber Security Expert at ESET:
“Cyber criminals tend to create phishing emails purporting to be sent from large companies to have the largest effect. As Netflix have millions of users, there are more users to target in the hope that more unsuspecting victims will click on the links. Years ago, the blanket emails would have been from a Nigerian Prince but now they tend to create emails looking like they are from Apple, PayPay and Netflix to name a few. Telltale signs still lie in the fact they say “Dear customer” to start the email rather than your name and they attempt to instill fear threatening restricted access to the account. Social engineering techniques use the principles of persuasion such as fear to entice people to do what they are told which has a far greater click rate. Netflix, and other companies used by hackers, will not kill your account without going through far more personal details with you and won’t ever use threatening communication. It is always worth ringing a number found on the genuine website to speak with customer service if you are ever doubtful of any correspondence.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.