WatchGuard Support Center

Knowledge Base - Article

Security Issue

000011989
 TCP SACK PANIC – Kernel Vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Tracking ID: FBX-16840
Status: Open
Article Number: 000011989
CVE ID: CVE-2019-11477
Severity: High
On 17 June 2019, Netflix engineering manager Jonathan Looney discovered several vulnerabilities that affect multiple open-source Linux and Unix operating systems. Impacted software kernels include FreeBSD 12 using the RACK TCP Stack, and Linux kernels between versions 2.6.29 and 4.15.

The most serious of the vulnerabilities could allow an attacker to execute a Denial of Service (DoS) attack by sending specially crafted TCP Selective Acknowledgement (SACK) packets to an affected service.

Various WatchGuard products and services are affected by this vulnerability. For specific products and services, see below. This article will be updated as WatchGuard releases patches for affected platforms.

Firebox and XTM Appliances
The version of the Linux kernel used in Fireware OS is vulnerable to this issue. WatchGuard engineering will introduce a patch to mitigate the vulnerability in an upcoming Fireware OS release.

WatchGuard AP
All WatchGuard Access Point models are affected by this vulnerability. WatchGuard engineering will introduce a patch to mitigate the vulnerability in an upcoming firmware release for the WatchGuard Access Point product family.

On July 2nd, 2019, a software patch was applied to all WatchGuard Wi-Fi Cloud servers and services to mitigate these vulnerabilities in Wi-Fi Cloud. Firmware for cloud-managed APs will be updated in an upcoming release. 

WatchGuard Dimension
We released Dimension v2.1.2 Update 2 on 27 June 2019 to address this vulnerability. 

WatchGuard WebBlocker On-Premise Server
The version of the Linux kernel used in the WatchGuard WebBlocker on-premise server is vulnerable to this issue. WatchGuard engineering will introduce a patch to mitigate the vulnerability in an upcoming release.

 
Workaround:
There is no user-configurable workaround at this time. 

Resolution: