SACK Panic

在2019-06-17,Netfilx爆出了FreeBSD and Linux系统中的内核上存在严重远程DoS漏洞,攻击者可以构造特定的SACK请求到目标服务器,引起服务器内核奔溃。
漏洞编号为:

几家公司的通告如下:

原因

关于问题的原因,红帽官方描述如下:

看英文吃力的同学,也可以看InfoQ的翻译

SACK全称是Selective Acknowledgment,在RFC-2018中被定义,目的是改善ACK的重传机制。
看RFC吃力的同学,可以看耗子叔的两篇关于TCP的文章

红帽系的检测工具

红帽给了一个脚本,可用于检测系统是否受这些漏洞影响。下载地址:

拷贝脚本到服务器上,sudo运行
如果系统是不被影响的,脚本输出为This system is Not affected:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# bash cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.21.3.el7.x86_64
This system is Not affected
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#

如果系统是受影响的,脚本输出为This system is Vulnerable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# bash cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#

解决方法

升级Kernel

漏洞发出后,红帽第一时间就发布了kernel-3.10.0-957.21.3的内核更新,CentOS在稍后也同步更新了Kernel补丁。升级命令如下:
在CentOS 7中,

1
2
3
4
5
6
# 升级kernel
yum update kernel -y
# 重启服务器
reboot
# 检查内核版本 
uname -r

禁用内核SACK

如果服务器不方便直接重启,则可以先临时关闭sack。

1
2
3
# echo 0 > /proc/sys/net/ipv4/tcp_sack
或者
# sysctl -w net.ipv4.tcp_sack=0

此时运行检测监本,提示Running kernel is vulnerable,sysctl mitigation is applied

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# bash cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.el7.x86_64
This system is Mitigated
* Running kernel is vulnerable
* sysctl mitigation is applied
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#

如果要重启后还是禁用tcp sack。则需要在/etc/sysctl.d/下建立配置文件,比如

1
2
3
4
# vi /etc/sysctl.d/99-tcpsack.conf
  # CVE-2019-11477 & CVE-2019-11478
  net.ipv4.tcp_sack=0

保存文件退出,重启后也会保持sack是禁用状态。

AWS侧应对

AWS的官方对此次SACK PANIC的通告以及各个服务的措施

各个受影响的服务以及对应的应对措施都有详细描述。
对于自己管控的EC2 Instance来说,如果使用了Amazon Linux and Amazon Linux 2,那么无论前面ELB类型是什么,都建议选择在合适的时间登录机器升级一下Kernel, 然后重启下。

1
sudo yum update kernel

Reference

留言