Movies and TV shows pop up in our minds when we say the word Netflix. But it turns out the company wants to do a lot more than just entertain its users.
Netflix researchers found four critical vulnerabilities that affect different versions of Linux and FreeBSD kernels deployed in systems worldwide. As explained in the disclosure post, these vulnerabilities mostly relate to TCP Selective Acknowledgement (SACK) and minimum segment size (SSP) capabilities.
The biggest of them all is called SACK Panic (CVE-2019-11477) which can trigger kernel panic on systems with Linux version 2.6.29 and above. It means that the attacker can compromise the kernel to the point that it is next to impossible for the operating system to recover.
Ultimately, the system has to restart itself which could disrupt the software and services running on it. For your reference, you can think of kernel panic the same as the Blue Screen of Death error screen on Microsoft Windows.
Another vulnerability (CVE-2019-11479) mentioned by the researchers affects all versions of the Linux kernel. It can be used to increase the resource consumption on the target machine.
The attacker can force the Linux kernel to divide its responses into multiple segments of 8 bit each. So, it sucks more CPU power and drastically increases the amount of bandwidth required to send the same amount of data.
However, the attacks are short-lived as they require continued efforts from the side of the attacker, the researchers said.
The other two are a different version of the same bug called SACK Slowness, which affect Linux and FreeBSD respectively. All of these vulnerabilities can be patched and researchers have also suggested some workarounds to get away with the vulnerabilities.
