TCP SACK PANIC – Kernel Vulnerabilities
On 17 June 2019, Netflix engineering manager Jonathan Looney discovered several vulnerabilities that affect multiple open-source Linux and Unix operating systems. Impacted software kernels include FreeBSD 12 using the RACK TCP Stack, and Linux kernels between versions 2.6.29 and 4.15.
The most serious of the vulnerabilities could allow an attacker to execute a Denial of Service (DoS) attack by sending specially crafted TCP Selective Acknowledgement (SACK) packets to an affected service.
Various WatchGuard products and services are affected by this vulnerability. For specific products and services, see below. This article will be updated as WatchGuard releases patches for affected platforms.
Firebox and XTM Appliances
The version of the Linux kernel used in Fireware OS v12.5.1 and older is vulnerable to this issue. The release of v12.5.1 Update 1 resolved this vulnerability.
WatchGuard Access Points
All WatchGuard Access Point models are affected by this vulnerability.
On July 2nd, 2019, a software patch was applied to all WatchGuard Wi-Fi Cloud servers and services to mitigate these vulnerabilities in Wi-Fi Cloud. On August 23, 2019, WatchGuard Wi-Fi Cloud v8.8 and AP firmware 8.8.0-179 was released and resolves these vulnerabilities for cloud-managed APs.
Currently, these vulnerabilities are resolved in AP firmware 8.8.0-179 and higher for AP120, AP320, AP322, AP325, AP327X, and AP420 devices managed by Wi-Fi Cloud or managed locally by a Gateway Controller on a Firebox.
For legacy AP100, AP102, and AP200 devices, AP firmware 1.2.9.x resolves these vulnerabilities. For legacy AP300 devices, AP firmware 188.8.131.52 resolves these vulnerabilities. These updated AP firmware versions are available from Technical Support. To request the firmware, open a Support case.
We released Dimension v2.1.2 Update 2 on 27 June 2019 to address this vulnerability.
WatchGuard WebBlocker On-Premise Server
The version of the Linux kernel used in the WatchGuard WebBlocker on-premise server is vulnerable to this issue. WatchGuard engineering will introduce a patch to mitigate the vulnerability in an upcoming release.
There is no user-configurable workaround at this time.