Security fix advisory

svein-o · June 19, 2019, 9:00am

Came across this advisory:

Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

# Advisory
###### ID: NFLX-2019-001

###### Title: Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities

###### Release Date: 2019-06-17

###### Severity: Critical

### Overview:

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed _“SACK Panic_,” allows a remotely-triggered kernel panic on recent Linux kernels.

There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.

### Details:

### 1: [CVE-2019-11477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477): SACK Panic (Linux >= 2.6.29)

This file has been truncated. show original

Are balenaOS in the risk zone for this type of attacks?

afitzek · June 20, 2019, 6:50am

Hi,
Since all current Linux kernels are affected, also balena devices are affected by this. But to actually take advantage of the attack, one needs to be able to send TCP packets to the device, so for example if a device is not exposed to the internet directly an attacker would have to be in the same network as the device. Our public URL feature is also not affected by this, because it operates one OSI layer above.
We are already looking into this and how to include the kernel patches in the next BalenaOS releases, and if/how we can protect current devices.
Cheers