Je vous présente: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Chacune affecte la gestion TCP du noyau Linux d'une manière différente pouvant déboucher sur un DoS.

Les informations ne sont pas encore publiques, AWS a commencé sa communication: https://aws.amazon.com/fr/security/security-bulletins/AWS-2019-005/
Chez Suse, il y en a plus: https://www.suse.com/c/suse-addresses-the-sack-panic-tcp-remote-denial-of-service-attacks/

    CVE-2019-11477: Also known as “SACK Panic”. A integer overflow when SACK processing of small TCP fragments can be used by remote attackers to crash the kernel.
    CVE-2019-11478: By sending SACK segments in crafted order remote attackers could fragment the SACK queue and cause increased use of memory, potentially running the system out of memory, and higher CPU load.
    CVE-2019-11479: A remote attacker could force heavy fragmentation of TCP segments, which could cause a higher amount of bandwith being used and also higher CPU load on the attacked system.

Netflix a mis des infos sur Github: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Details:
1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29)

Description: A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.

Fix: Apply the patch PATCH_net_1_4.patch. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a.patch.

Workaround #1: Block connections with a low MSS using one of the supplied filters. (The values in the filters are examples. You can apply a higher or lower limit, as appropriate for your environment.) Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl).

Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0).

(Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.)
2: CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)

Description: It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. On Linux kernels prior to 4.15, an attacker may be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

Fix: Apply the patch PATCH_net_2_4.patch

Workaround #1: Block connections with a low MSS using one of the supplied filters. (The values in the filters are examples. You can apply a higher or lower limit, as appropriate for your environment.) Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl).

Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0).

(Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.)
3: CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

Description: It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

Workaround #1: Apply the patch split_limit.patch and set the net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the size of the SACK table.

Workaround #2: Temporarily disable the RACK TCP stack.

(Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.)
4: CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)

Description: An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. Further, it consumes additional resources (CPU and NIC processing power). This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic.

Fix: Two patches PATCH_net_3_4.patch and PATCH_net_4_4.patch add a sysctl which enforces a minimum MSS, set by the net.ipv4.tcp_min_snd_mss sysctl. This lets an administrator enforce a minimum MSS appropriate for their applications.

Workaround: Block connections with a low MSS using one of the supplied filters. (The values in the filters are examples. You can apply a higher or lower limit, as appropriate for your environment.) Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the default value for that sysctl).

Y'a aucune raison que RHEL ne soit pas impacté, c'est une faille du noyau donc rien à voir avec la distribution.
Red Hat a commencé à la documenter: https://access.redhat.com/security/vulnerabilities/tcpsack

Toutes les versions d'Ubuntu sont impactées.

C'est comblé dans la mise à jour du Kernel que vous avez eu hier soir (ou ce matin).

Même pour Ubuntu, j'ai été impressionné par le nombre de noyaux à mettre à jour :

Ubuntu 19.04
- linux-image-5.0.0-1008-aws - 5.0.0-1008.8
- linux-image-5.0.0-1008-gcp - 5.0.0-1008.8
- linux-image-5.0.0-1008-kvm - 5.0.0-1008.8
- linux-image-5.0.0-1010-raspi2 - 5.0.0-1010.10
- linux-image-5.0.0-1014-snapdragon - 5.0.0-1014.14
- linux-image-5.0.0-17-generic - 5.0.0-17.18
- linux-image-5.0.0-17-generic-lpae - 5.0.0-17.18
- linux-image-5.0.0-17-lowlatency - 5.0.0-17.18
- linux-image-aws - 5.0.0.1008.8
- linux-image-gcp - 5.0.0.1008.8
- linux-image-generic - 5.0.0.17.18
- linux-image-generic-lpae - 5.0.0.17.18
- linux-image-gke - 5.0.0.1008.8
- linux-image-kvm - 5.0.0.1008.8
- linux-image-lowlatency - 5.0.0.17.18
- linux-image-raspi2 - 5.0.0.1010.7
- linux-image-snapdragon - 5.0.0.1014.7
- linux-image-virtual - 5.0.0.17.18

Ubuntu 18.10
- linux-image-4.18.0-1013-gcp - 4.18.0-1013.14
- linux-image-4.18.0-1014-kvm - 4.18.0-1014.14
- linux-image-4.18.0-1016-raspi2 - 4.18.0-1016.18
- linux-image-4.18.0-1018-aws - 4.18.0-1018.20
- linux-image-4.18.0-1020-azure - 4.18.0-1020.20
- linux-image-4.18.0-22-generic - 4.18.0-22.23
- linux-image-4.18.0-22-generic-lpae - 4.18.0-22.23
- linux-image-4.18.0-22-lowlatency - 4.18.0-22.23
- linux-image-4.18.0-22-snapdragon - 4.18.0-22.23
- linux-image-aws - 4.18.0.1018.18
- linux-image-azure - 4.18.0.1020.21
- linux-image-gcp - 4.18.0.1013.13
- linux-image-generic - 4.18.0.22.23
- linux-image-generic-lpae - 4.18.0.22.23
- linux-image-gke - 4.18.0.1013.13
- linux-image-kvm - 4.18.0.1014.14
- linux-image-lowlatency - 4.18.0.22.23
- linux-image-raspi2 - 4.18.0.1016.13
- linux-image-snapdragon - 4.18.0.22.23
- linux-image-virtual - 4.18.0.22.23

Ubuntu 18.04 LTS
- linux-image-4.15.0-1015-oracle - 4.15.0-1015.17
- linux-image-4.15.0-1034-gcp - 4.15.0-1034.36
- linux-image-4.15.0-1036-kvm - 4.15.0-1036.36
- linux-image-4.15.0-1038-raspi2 - 4.15.0-1038.40
- linux-image-4.15.0-1041-aws - 4.15.0-1041.43
- linux-image-4.15.0-1043-oem - 4.15.0-1043.48
- linux-image-4.15.0-1055-snapdragon - 4.15.0-1055.59
- linux-image-4.15.0-52-generic - 4.15.0-52.56
- linux-image-4.15.0-52-generic-lpae - 4.15.0-52.56
- linux-image-4.15.0-52-lowlatency - 4.15.0-52.56
- linux-image-4.18.0-1020-azure - 4.18.0-1020.20~18.04.1
- linux-image-4.18.0-22-generic - 4.18.0-22.23~18.04.1
- linux-image-4.18.0-22-generic-lpae - 4.18.0-22.23~18.04.1
- linux-image-4.18.0-22-lowlatency - 4.18.0-22.23~18.04.1
- linux-image-4.18.0-22-snapdragon - 4.18.0-22.23~18.04.1
- linux-image-aws - 4.15.0.1041.40
- linux-image-azure - 4.18.0.1020.19
- linux-image-gcp - 4.15.0.1034.36
- linux-image-generic - 4.15.0.52.54
- linux-image-generic-hwe-18.04 - 4.18.0.22.72
- linux-image-generic-lpae - 4.15.0.52.54
- linux-image-generic-lpae-hwe-18.04 - 4.18.0.22.72
- linux-image-kvm - 4.15.0.1036.36
- linux-image-lowlatency - 4.15.0.52.54
- linux-image-lowlatency-hwe-18.04 - 4.18.0.22.72
- linux-image-oem - 4.15.0.1043.47
- linux-image-oracle - 4.15.0.1015.18
- linux-image-raspi2 - 4.15.0.1038.36
- linux-image-snapdragon - 4.15.0.1055.58
- linux-image-snapdragon-hwe-18.04 - 4.18.0.22.72
- linux-image-virtual - 4.15.0.52.54
- linux-image-virtual-hwe-18.04 - 4.18.0.22.72

Ubuntu 16.04 LTS
- linux-image-4.15.0-1015-oracle - 4.15.0-1015.17~16.04.1
- linux-image-4.15.0-1034-gcp - 4.15.0-1034.36~16.04.1
- linux-image-4.15.0-1041-aws - 4.15.0-1041.43~16.04.1
- linux-image-4.15.0-1047-azure - 4.15.0-1047.51
- linux-image-4.15.0-52-generic - 4.15.0-52.56~16.04.1
- linux-image-4.15.0-52-generic-lpae - 4.15.0-52.56~16.04.1
- linux-image-4.15.0-52-lowlatency - 4.15.0-52.56~16.04.1
- linux-image-4.4.0-1048-kvm - 4.4.0-1048.55
- linux-image-4.4.0-1085-aws - 4.4.0-1085.96
- linux-image-4.4.0-1111-raspi2 - 4.4.0-1111.120
- linux-image-4.4.0-1115-snapdragon - 4.4.0-1115.121
- linux-image-4.4.0-151-generic - 4.4.0-151.178
- linux-image-4.4.0-151-generic-lpae - 4.4.0-151.178
- linux-image-4.4.0-151-lowlatency - 4.4.0-151.178
- linux-image-4.4.0-151-powerpc-e500mc - 4.4.0-151.178
- linux-image-4.4.0-151-powerpc-smp - 4.4.0-151.178
- linux-image-4.4.0-151-powerpc64-emb - 4.4.0-151.178
- linux-image-4.4.0-151-powerpc64-smp - 4.4.0-151.178
- linux-image-aws - 4.4.0.1085.88
- linux-image-aws-hwe - 4.15.0.1041.41
- linux-image-azure - 4.15.0.1047.51
- linux-image-gcp - 4.15.0.1034.48
- linux-image-generic - 4.4.0.151.159
- linux-image-generic-hwe-16.04 - 4.15.0.52.73
- linux-image-generic-lpae - 4.4.0.151.159
- linux-image-generic-lpae-hwe-16.04 - 4.15.0.52.73
- linux-image-gke - 4.15.0.1034.48
- linux-image-kvm - 4.4.0.1048.48
- linux-image-lowlatency - 4.4.0.151.159
- linux-image-lowlatency-hwe-16.04 - 4.15.0.52.73
- linux-image-oem - 4.15.0.52.73
- linux-image-oracle - 4.15.0.1015.9
- linux-image-powerpc-e500mc - 4.4.0.151.159
- linux-image-powerpc-smp - 4.4.0.151.159
- linux-image-powerpc64-emb - 4.4.0.151.159
- linux-image-powerpc64-smp - 4.4.0.151.159
- linux-image-raspi2 - 4.4.0.1111.111
- linux-image-snapdragon - 4.4.0.1115.107
- linux-image-virtual - 4.4.0.151.159
- linux-image-virtual-hwe-16.04 - 4.15.0.52.73

Ubuntu 14.04 ESM
- linux-image-3.13.0-171-generic - 3.13.0-171.222
- linux-image-3.13.0-171-generic-lpae - 3.13.0-171.222
- linux-image-3.13.0-171-lowlatency - 3.13.0-171.222
- linux-image-4.15.0-1047-azure - 4.15.0-1047.51~14.04.1
- linux-image-4.4.0-1046-aws - 4.4.0-1046.50
- linux-image-4.4.0-151-generic - 4.4.0-151.178~14.04.1
- linux-image-4.4.0-151-generic-lpae - 4.4.0-151.178~14.04.1
- linux-image-4.4.0-151-lowlatency - 4.4.0-151.178~14.04.1
- linux-image-aws - 4.4.0.1046.47
- linux-image-azure - 4.15.0.1047.34
- linux-image-generic - 3.13.0.171.182
- linux-image-generic-lpae - 3.13.0.171.182
- linux-image-generic-lpae-lts-xenial - 4.4.0.151.133
- linux-image-generic-lts-xenial - 4.4.0.151.133
- linux-image-lowlatency-lts-xenial - 4.4.0.151.133

Ubuntu 12.04 ESM
- linux-image-3.13.0-171-generic - 3.13.0-171.222~12.04.1
- linux-image-3.13.0-171-generic-lpae - 3.13.0-171.222~12.04.1
- linux-image-3.13.0-171-lowlatency - 3.13.0-171.222~12.04.1
- linux-image-3.2.0-141-generic - 3.2.0-141.188
- linux-image-generic - 3.2.0.141.156
- linux-image-generic-lpae-lts-trusty - 3.13.0.171.159
- linux-image-generic-lts-trusty - 3.13.0.171.159

A tout hasard, il n'y pas de risque que ça plante l'ordi ?

J'ai mis à jour toutes mes VM 18.04 LTS (HWE) ainsi qu'une machine physique et pas de soucis.

C'est une mise à jour kernel, pas différente de celles qu'on a tous les mois (en moyenne). Aucun rapport avec le BIOS.

En cas de problème avec grub, au pire le système ne boote pas, mais en aucun cas ça n'empêcherait l'accès au bios.