Security Advisory Detail

TCP SACK PANIC – Kernel Vulnerabilities

Advisory ID
WGSA-2019-00001
CVE
CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Impact
High
Status
Acknowledged
Product Family
Firebox, Dimension, Secure Wi-Fi
Published Date
Updated Date
Workaround Available
True
CVSS Score
7.5
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary

On 17 June 2019, Netflix engineering manager Jonathan Looney discovered several vulnerabilities that affect multiple open-source Linux and Unix operating systems. Impacted software kernels include FreeBSD 12 using the RACK TCP Stack, and Linux kernels between versions 2.6.29 and 4.15.

The most serious of the vulnerabilities could allow an attacker to execute a Denial of Service (DoS) attack by sending specially crafted TCP Selective Acknowledgement (SACK) packets to an affected service.

Various WatchGuard products and services are affected by this vulnerability. For specific products and services, see below. This article will be updated as WatchGuard releases patches for affected platforms.

Affected

Firebox and XTM Appliances

The version of the Linux kernel used in Fireware OS v12.5.1 and older is vulnerable to this issue. The release of v12.5.1 Update 1 resolved this vulnerability.

WatchGuard Access Points

All WatchGuard Access Point models are affected by this vulnerability.

On July 2nd, 2019, a software patch was applied to all WatchGuard Wi-Fi Cloud servers and services to mitigate these vulnerabilities in Wi-Fi Cloud. On August 23, 2019, WatchGuard Wi-Fi Cloud v8.8 and AP firmware 8.8.0-179 was released and resolves these vulnerabilities for cloud-managed APs.

Currently, these vulnerabilities are resolved in AP firmware 8.8.0-179 and higher for AP120, AP320, AP322, AP325, AP327X, and AP420 devices managed by Wi-Fi Cloud or managed locally by a Gateway Controller on a Firebox.

For legacy AP100, AP102, and AP200 devices, AP firmware 1.2.9.x resolves these vulnerabilities. For legacy AP300 devices, AP firmware 2.0.0.12 resolves these vulnerabilities. These updated AP firmware versions are available from Technical Support. To request the firmware, open a Support case.

WatchGuard Dimension

We released Dimension v2.1.2 Update 2 on 27 June 2019 to address this vulnerability.

WatchGuard WebBlocker On-Premise Server

The version of the Linux kernel used in the WatchGuard WebBlocker on-premise server is vulnerable to this issue. WatchGuard engineering will introduce a patch to mitigate the vulnerability in an upcoming release.

Workaround

There is no user-configurable workaround at this time.

Credits
Jonathan Looney - Netflix Engineering Manager
Advisory Product List
Product Family
Product Branch
Product List
Firebox
XTM 8 Series (2nd Gen)
XTM850, XTM860, XTM870, XTM870-F
Firebox
XTM 1500 and 2520
XTM1520-RP, XTM1525-RP, XTM2520
Firebox
Firebox T (1st Gen)
T10, T10-W, T10-D, T30, T30-W, T50, T50-W
Firebox
Firebox T (2nd Gen)
T15, T15-W, T35, T35-W, T35-R, T55, T55-W, T70
Firebox
Firebox T (3rd Gen)
T20, T20-W, T40, T40-W, T80
Firebox
Firebox M (2nd Gen)
M270, M370, M470, M570, M670
Firebox
Firebox M (1st Gen)
M200, M300, M400, M440, M500
Firebox
Firebox M (3rd Gen)
M290, M390, M590, M690, M4800, M5800
Firebox
XTMv
Small, Medium, Large, Datacenter
Firebox
FireboxV
Small, Medium, Large, XLarge
Dimension
Dimension
Dimension
Secure Wi-Fi
Wi-Fi 6
AP130, AP330, AP430CR, AP432
Secure Wi-Fi
Wi-Fi 4 & 5
AP322, AP420, AP125, AP225W, AP325, AP327X