Barracuda WAF patch update for SACK panic vulnerability (CVE-2019-11477 and CVE-2019-11478)
A few TCP networking vulnerabilities were discovered by security researchers recently. ‘SACK Panic’ is the most severe of the discovered vulnerabilities. This vulnerability is being tracked as CVE-2019-11477 and has been marked with a CVSS score of 7.5. The vulnerability impacts Linux kernel version 2.6.29 and later.
More details about Selective TCP ACK and ‘SACK Panic’ can be found at https://isc.sans.edu/diary/What+You+Need+To+Know+About+TCP+%22SACK+Panic%22/25046.
Barracuda WAF product line uses the Linux kernel for its firmware and a security definition update has been released to patch the units to prevent the vulnerability. This patch is available for all units running firmware version 22.214.171.124 or later. Its recommended that units running any firmware version prior to v126.96.36.199 be upgraded as soon possible to use the released patch update.
Patch Update Details
This ‘SACK Panic’ patch update ensures that the ‘tcp_sack’ attribute is set to 0 (set to disable) in the system kernel of the Barracuda WAF. This patch is released as an automatic update. Once the patch is applied to the system, the event will be logged under the system logs of the unit as below:
“Secdef: Successfully applied the mitigation for TCP SACK PANIC – Kernel vulnerabilities – CVE-2019-11477 & CVE-2019-11478.”
This message will be logged under the UPDATE module with the EventID 52014 with the severity level set to Alert.
For any clarifications regarding this update, please contact firstname.lastname@example.org