Eagle-eyed researchers from streaming titan Netflix have uncovered several troubling security vulnerabilities within the TCP implementations on Linux and FreeBSD kernels. The most severe specimen, called SACK Panic, could permit an attacker to remotely induce a kernel panic within recent Linux operating systems.
A kernel panic is a kind of vulnerability where an operating system cannot easily recover – or, indeed, cannot recover at all. This could force a restart of a targeted host, causing a temporary shutdown in services.
Given Linux powers a variety of systems, from web servers to high-performance computing clusters, this is obviously really concerning.
In total, Netflix has found four separate vulnerabilities, each with their own distinct behaviors. They all pertain to the same part of the Linux and FreeBSD TCP implementation — the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK).
One issue highlighted by Netflix could see an attacker force the Linux kernel to transmit data as individual TCP segments, each containing a mere 8 bytes. As Netflix's researchers point out, this can manifestly slow down any outbound traffic, as well as place increased pressure on the computer's processor and network card.
Here's the good news: the vulnerabilities are each patchable. In many cases, there are also workarounds, which are handy for those users who, for whatever reason, cannot make any drastic modifications.
TNW's reached out to Netflix for comment. When we hear back from them, we'll update this post. In the meantime, if you'd like to read more on how these vulnerabilities work, and how to remedy them, you can read about it on the disclosure website.
Không có nhận xét nào:
Đăng nhận xét