在2019-06-17,Netfilx爆出了FreeBSD and Linux系统中的内核上存在严重远程DoS漏洞,攻击者可以构造特定的SACK请求到目标服务器,引起服务器内核奔溃。
漏洞编号为:
几家公司的通告如下:
原因
关于问题的原因,红帽官方描述如下:
看英文吃力的同学,也可以看InfoQ的翻译
SACK全称是Selective Acknowledgment,在RFC-2018中被定义,目的是改善ACK的重传机制。
看RFC吃力的同学,可以看耗子叔的两篇关于TCP的文章
红帽系的检测工具
红帽给了一个脚本,可用于检测系统是否受这些漏洞影响。下载地址:
拷贝脚本到服务器上,sudo运行
如果系统是不被影响的,脚本输出为This system is Not affected
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| # bash cve-2019-11477--2019-06-17-1629.sh This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported Red Hat Enterprise Linux systems and kernel packages. Result may be inaccurate for other RPM based systems. Running kernel: 3.10.0-957.21.3.el7.x86_64 This system is Not affected For more information about this vulnerability, see: https://access.redhat.com/security/vulnerabilities/tcpsack #
|
如果系统是受影响的,脚本输出为This system is Vulnerable
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| # bash cve-2019-11477--2019-06-17-1629.sh This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported Red Hat Enterprise Linux systems and kernel packages. Result may be inaccurate for other RPM based systems. Running kernel: 3.10.0-957.el7.x86_64 This system is Vulnerable * Running kernel is vulnerable For more information about this vulnerability, see: https://access.redhat.com/security/vulnerabilities/tcpsack #
|
解决方法
升级Kernel
漏洞发出后,红帽第一时间就发布了kernel-3.10.0-957.21.3的内核更新,CentOS在稍后也同步更新了Kernel补丁。升级命令如下:
在CentOS 7中,
1 2 3 4 5 6
| # 升级kernel yum update kernel -y # 重启服务器 reboot # 检查内核版本 uname -r
|
禁用内核SACK
如果服务器不方便直接重启,则可以先临时关闭sack。
1 2 3
| # echo 0 > /proc/sys/net/ipv4/tcp_sack 或者 # sysctl -w net.ipv4.tcp_sack=0
|
此时运行检测监本,提示Running kernel is vulnerable
,sysctl mitigation is applied
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| # bash cve-2019-11477--2019-06-17-1629.sh This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported Red Hat Enterprise Linux systems and kernel packages. Result may be inaccurate for other RPM based systems. Running kernel: 3.10.0-957.el7.x86_64 This system is Mitigated * Running kernel is vulnerable * sysctl mitigation is applied For more information about this vulnerability, see: https://access.redhat.com/security/vulnerabilities/tcpsack #
|
如果要重启后还是禁用tcp sack。则需要在/etc/sysctl.d/
下建立配置文件,比如
1 2 3 4
| # vi /etc/sysctl.d/99-tcpsack.conf # CVE-2019-11477 & CVE-2019-11478 net.ipv4.tcp_sack=0
|
保存文件退出,重启后也会保持sack是禁用状态。
AWS侧应对
AWS的官方对此次SACK PANIC的通告以及各个服务的措施
各个受影响的服务以及对应的应对措施都有详细描述。
对于自己管控的EC2 Instance来说,如果使用了Amazon Linux and Amazon Linux 2,那么无论前面ELB类型是什么,都建议选择在合适的时间登录机器升级一下Kernel, 然后重启下。
Reference