WatchGuard Support Center

Knowledge Base - Article

 TCP SACK PANIC – Kernel Vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Tracking ID: FBX-16840
Status: Open
Article Number: 000015877
CVE ID: CVE-2019-11477
Severity: High

On 17 June 2019, Netflix engineering manager Jonathan Looney discovered several vulnerabilities that affect multiple open-source Linux and Unix operating systems. Impacted software kernels include FreeBSD 12 using the RACK TCP Stack, and Linux kernels between versions 2.6.29 and 4.15.

The most serious of the vulnerabilities could allow an attacker to execute a Denial of Service (DoS) attack by sending specially crafted TCP Selective Acknowledgement (SACK) packets to an affected service.

Various WatchGuard products and services are affected by this vulnerability. For specific products and services, see below. This article will be updated as WatchGuard releases patches for affected platforms.

Firebox and XTM Appliances
The version of the Linux kernel used in Fireware OS v12.5.1 and older is vulnerable to this issue. The release of v12.5.1 Update 1 resolved this vulnerability. 

WatchGuard Access Points
All WatchGuard Access Point models are affected by this vulnerability.

On July 2nd, 2019, a software patch was applied to all WatchGuard Wi-Fi Cloud servers and services to mitigate these vulnerabilities in Wi-Fi Cloud. 
On August 23, 2019, WatchGuard Wi-Fi Cloud v8.8 and AP firmware 8.8.0-179 was released and resolves these vulnerabilities for cloud-managed APs.

Currently, these vulnerabilities are resolved in AP firmware 8.8.0-179 and higher for AP120, AP320, AP322, AP325, AP327X, and AP420 devices managed by Wi-Fi Cloud or managed locally by a Gateway Controller on a Firebox.

WatchGuard engineering will introduce updated firmware for legacy AP100, AP102, AP200, and AP300 devices in an upcoming release. 

WatchGuard Dimension
We released Dimension v2.1.2 Update 2 on 27 June 2019 to address this vulnerability. 

WatchGuard WebBlocker On-Premise Server
The version of the Linux kernel used in the WatchGuard WebBlocker on-premise server is vulnerable to this issue. WatchGuard engineering will introduce a patch to mitigate the vulnerability in an upcoming release.

There is no user-configurable workaround at this time.