A kernel flaw dubbed TCP SACK Panic could allow remote attackers to compromise organizations running large fleets of production Linux computers, according to a series of security advisories.

Netflix was among the first to raise alarm bells over the vulnerability, also known as CVE-2019-11477, which could potentially be used to crash a machine by triggering a kernel “panic.” The issue affects those running systems based on Linux kernel version 2.6.29 and above and is one of four known flaws. TCP SACK Panic is considered the most dangerous, researchers said.

The Scope of the SACK Panic Threat

In its own security advisory, Red Hat suggested that while the flaw could be used by cybercriminals to wage denial-of-service (DoS) attacks, it would not allow them to escalate privileges on compromised machines to steal information.

SACK refers to Selective Acknowledgment, a mechanism that has traditionally been used in Linux-based systems to ensure networks run efficiently even if there is TCP packet loss between senders and receivers. When the Socket Buffer (SKB) — a data structure within Linux TCP implementations — reaches more than 17 fragments of packet data, however, a kernel panic can cause it to crash.

Threat actors could also send specially crafted SACK packets that trigger a panic, researchers said, adding that all four of the reported flaws are interrelated. Others include SACK Slowness, also known as CVE-2019-11478, a resource consumption bug dubbed CVE-2019-11479, and another SACK slowness flaw known as CVE-2019-5599.

Stay Calm Amid the TCP SACK Panic

Flaws such as these can be addressed through software patches, but the onus is on those running vulnerable IT systems to ensure they are properly applied. Unfortunately, this doesn’t always happen as quickly and consistently as it should.

Experts have shown, for example, that many organizations would benefit from improved patch posture reporting. In other words, firms need a way to bring together all available data on what patches have been performed and whether they have remediated vulnerabilities. Tools are available to assist in this area, which may be the best way for Linux users to ensure they aren’t compromised by something like the TCP SACK Panic threat.

More from

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Hack-for-Hire Groups May Be the New Face of Cybercrime

Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns. “We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”…