I spoke to the SentinelOne guys about news beginning last night on Netflix researchers revealing several troubling security vulnerabilities within the TCP implementations on Linux and FreeBSD kernels. The most notable – SACK Panic, could permit an attacker to remotely induce a kernel panic within recent Linux operating systems.
Most of the chatter has been on the importance of timely patching but there are hang ups with that – S1’s VP of Security Strategy shot the below quote over on the situation. If you???d like to use the quote, please feel free and Chris would also welcome the opportunity for a quick chat if of interest. Can go into more detail on specifics of patching time table for Linux vulnerabilities. Appreciate your consideration!
???As a security best practice this highlights the need for operational and security telemetry to baseline production systems so it would be easier to detect the issue. Also how critical and complex it can be to patch open source software and the ripple effects. For many production systems there are processes that must be followed to ensure the patches themselves do not introduce performance or compatibility problems. For organizations that will inevitably have exposure time during the patch management process, behavior-based security for Linux systems that can detect or block these types of attacks is essential as it buys valuable time and visibility during these critical periods.???
Chris Bates, VP, Security Strategy, SentinelOne