New vulnerabilities found on Linux and FreeBSD devices

Digital forensics services researchers warn that Linux and FreeBSD operating systems contain vulnerabilities that allow hackers to remotely lock servers and disrupt admins’ communications.

Operating system distributors have recommended that users install update patches as soon as they are released or otherwise modify the necessary settings to reduce the risk of exploitation.

According to digital forensics services experts, the most severe of the flaws, known as SACK Panic, can be exploited by mass sending a specially designed TCP sequence; in response, the compromised system will collapse (a state known as kernel panic). If successful, the attacker will generate a remote denial of service (DoS) condition.

The second flaw found also works by sending malicious TCP sequences that generate high consumption in the system. In some versions of the operating system, attackers can cause what is known as an “expensive list of linked links for subsequent SACK”, which can result in additional fragmentation.

The two vulnerabilities exploit the way operating systems manage TCP Selective ACKnowledgements (abbreviated as SACK); according to digital forensics services experts, this is a mechanism that allows a receiving computer in a communication process to inform the sender of the segments it has successfully sent in order to forward the lost segments. Experts also reported a critical vulnerability in FreeBSD 12 that works similarly, but interacting with the RACK send map in the operating system.

Finally, experts found a flaw that can slow down impacted systems by reducing the maximum size of segments of a TCP connection. The maximum size of these segments is a configuration present in the header of a TCP packet that specifies the amount of data contained in the segment.  

According to International Institute of Cyber Security (IICS) experts, Linux distributions are about to release patches to fix these bugs, including blocking connections with low MSS, disabling SACK processing, or temporary deactivation of the TCP RACK stack.