How to disable TCP SACK for CentOS?

3

A new security vulnerability has been announced called "TCP SACK PANIC". https://access.redhat.com/security/vulnerabilities/tcpsack

Three related flaws were found in the Linux kernel’s handling of TCP networking. The most severe vulnerability could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability.

A work around suggested by theregister.co.uk is to disable TCP SACK.

https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/

Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.

How do you do this on CentOS 7.6.1810?

I've tried using sudo nano and editing the file to 0, but I don't have permission, I tried changing the permissions to get write access and that also returned changing permissions of 'tcp_sack': Operation not permitted.

user2924019

Posted 2019-06-18T10:46:50.310

Reputation: 242

I realise that this may be better suited to serverfault.com – user2924019 – 2019-06-18T11:16:04.317

SELinux? Shared kernel virtualization? – Kamil Maciorowski – 2019-06-18T11:42:39.413

Answers

3

You should be able to do

echo "0" > /proc/sys/net/ipv4/tcp_sack

Make sure to do this as a superuser, regular system users do not have permission to alter this value.

This change is not parmanent by the way, add the following to your /etc/sysctl.conf to apply it on boot and you can use sysctl -p to directly apply the changes:

echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
sysctl -p

Bart

Posted 2019-06-18T10:46:50.310

Reputation: 31

1I set sudo su first, and then tried both but still getting sysctl: permission denied on key 'net.ipv4.tcp_sack' – user2924019 – 2019-06-18T11:18:24.017

@user2924019 If you're root it will work. Permission denied is to be expected if you do sudo with a redirect. – Nick – 2019-06-25T09:23:38.417

I tried with root with and without sudo. – user2924019 – 2019-06-25T12:10:55.223

The issue is that the >> happens in the user's shell, not the sudo shell. Do something like sudo bash then do the echo. – stolenmoment – 2019-06-25T15:10:16.803

Is a reboot required? – PeterJ – 2019-06-27T01:30:05.780

A reboot is not required for both solutions provided, given that if you use the sysctl.conf open you run "sysctl -p" after modifying the file – Bart – 2019-06-27T10:13:04.320

Asked: 2019-06-18T10:46:50.310

Viewed: 4 206 times

Active: 2019-06-18T11:04:36.343