Multiple vulnerabilities in the WatchGuard SOHO Firewall

[Steve Fallin <Steve.Fallin () WATCHGUARD COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Overview:

On September 13, ISS advised WatchGuard of three suspected
vulnerabilities in older versions (prior to 2.2) of software  running
on WatchGuard's SOHO Firebox product. They later reported a fourth
vulnerability.  The vulnerabilities are:

1.      Inappropriately accessing configuration files using the HTTP
configuration server (affects releases prior to 2.1.3)

2.      A possible buffer overflow - arbitrary code might be executed
by applying an excessively long HTTP GET request (affects releases
prior to 2.1.3)

3.      DoS could be induced by flooding the SOHO with fragmented
packets (affects release 1.6.0 and previous)

4.      SOHO password can be reset using a POST operation without
authentication (affects releases prior to 2.2.0)

All the items were addressed in previous releases of the software and
are no longer issues.

The currently shipping version of the SOHO software is 2.2.1. Current
LiveSecurity subscribers are automatically sent new versions of
software as the software becomes available. In addition, the most
current version of the software is always posted on our Web site. All
LiveSecurity subscribers should be running the most current version of
the software to maintain the highest level of protection.

Analysis:

1.      Inappropriate Access via HTTP Vulnerability.

ISS found the SOHO responded to HTTP requests (such as
192.168.111.1/secret.dat to access the file secret.dat).

The SOHO only honors HTTP requests from inside the trusted LAN
network. Outsiders could not exploit this vulnerability.

This vulnerability was verified and corrected in Release 2.1.3.
Release 2.1.3 was broadcast to all current subscribers in
mid-September and has been available on our Web site since then.

2.      Applying Long HTTP GET Requests.

The way memory is architected in the SOHO, we do not believe that this
exploit could be used to run arbitrary code. We believe that the
potential damage caused by this attack would be a Denial of Service by
crashing the administration server, requiring a reboot.

Again, this vulnerability could only be exploited inside the trusted
LAN.

This vulnerability was verified and corrected in Release 2.1.3.
Release 2.1.3 was broadcast to all current subscribers in
mid-September and has been available on our Web site since then.

3.      DoS from Flooding a SOHO with Fragmented Packets.

We were able to reproduce this problem with version 1.6.0. 1.6.0
stopped shipping in early August. The issue does not exist in any 2.x
release.

All LiveSecurity subscribers would have updated their SOHOs to a 2.x
release long before this vulnerability was reported.

4.      SOHO Password Reset Using a POST Operation without
Authentication.

The SOHO only honors HTTP requests from inside the trusted LAN
network. Outsiders could not exploit this vulnerability.

This vulnerability was verified and corrected in Release 2.2. Release
2.2 was broadcast to all current subscribers in mid-November and has
been available on our Web site since then.

To reiterate, all the items were addressed in previous releases of the
software and are no longer issues.

The currently shipping version of the SOHO software is 2.2.1. Current
LiveSecurity subscribers are automatically sent new versions of
software as the software becomes available. In addition, the most
current version of the software is always posted on our Web site. All
LiveSecurity subscribers should be running the most current version of
the software to maintain the highest level of protection.


Sincerely,

Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOjgJSE3Vi9lbkWzpEQKW5QCg+dM6D3c5ya8pPxTmjSPGCdrmq0EAnihX
Yc1KXFTdTMY+aqeuN3Er+f+n
=tpgB
-----END PGP SIGNATURE-----