Watchguard Firewall Elevated Privilege Vulnerability

[Philip J Lewis <Phil () SECURENETWORKING CO UK>]

I have found that the embedded Linux-based Watchguard Firebox II
Firewall product range is vulnerable to read-write access using only a
read-only passphrase. This gives a read-only user the ability to make
changes to the firewall remotely without either authorization or a
read-write passphrase. The risk is remote firewall compromise.


Firewalls at Risk
-----------------
Platforms tested (other Watchguard firewalls may also be vulnerable):
Watchguard FireboxII
Watchguard FireboxII+
Watchguard FireboxII Fast VPN

Firmware Versions (previous versions, including MSS, may also be
vulnerable):
LSS version 4.0 until 4.5 inclusive.


Exploit Method
--------------
The method of exploit involves the using the supplied watchguard
configuration tools/libraries and using their library functions to make
an SSL connection to the firebox via TCP/IP. You must authenticate using
the read-only passphrase and issue the MPF command (Watchguard's
proprietary firewall software, 'Mazama Packet Filter') to get a binary
file from the flash filesystem on the firebox. Retrieve the file called
'/var/lib/mpf/keys.gz'. This contains the hashed read-only and
read-write passphrases in gziped format. It is not important to decrypt
these keys as these are sent to the firebox in exactly this hashed
format when authenticating an SSL connection anyway.
This read-write hashed passphrase can then be used with the MPF library
to authenticate and write files to that particular firewall such as a
modified configuration or issue commands to reboot the firewall.


Suggested Fix
-------------
To minimize the risk of such an attack Watchguard Firewall
administrators should make sure that they do not use a 'weak' read-only
password and that the configuration port rule on the firewall will only
allow incoming connections from trusted IPs/users. Apply the vendor
hotfix below.


Vendor Hotfix
-------------
The vendor promptly responded with a Hotfix (attached below). It can be
downloaded by registered Live Security System subscribers from:

https://www.watchguard.com/esupport.htm

The patch is called: 'Hotfix 010107'


Philip J. Lewis
Networking Consultant, Secure Networking Ltd.
Tel: +44 (0) 7887 955 981, Fax: +44 (0) 1189 841 957
PGP keyid: 0x1A8C0AFA (http://pgp.mit.edu)





--------------- Vendor Advisory --------------
From: lsalerts () watchguard com
Date: Thu, 18 Jan 2001 18:35:20 Pacific Standard Time
Subject: New Alert from LiveSecurity

WatchGuard LiveSecurity System

A new Threat Response is available on your LiveSecurity Service.  To
download this Threat Response, log in to your LiveSecurity Service and
click on the appropriate download link in the LiveSecurity System
Software section.


=======
Installation Instructions: Please print these instructions for
reference.

Hotfix 010107 Release Notes

Overview
This Threat Response addresses a security vulnerability for the
WatchGuard Firebox by preventing access to insecure files within the
Firebox itself. It contains WatchGuard Hotfix 010107. This Hotfix does
not include the components from previous Hotfixes. You should install
all previous Hotfixes before you install Hotfix 010107.

If you have any questions regarding this installation, please contact
WatchGuard Technical Support at +206.521.8375 or via the Web at
<https://www.watchguard.com/esupport.htm>.

Contents of this Hotfix
This Hotfix provides more stringent protection against insecure file
access on the Firebox. Installing this modification gives the Firebox
a much more robust defense against certain file access-related
activities aimed at a privilege elevation attack. This Hotfix secures
certain restricted files (not required by the user for proper
operation of the Firebox) to increase stability and decrease the
opportunity for a potential attack.

WatchGuard wishes to acknowledge and thank Philip J. Lewis of Secure
Networking Limited for his assistance in the development of this
Hotfix.

Before installing this software, please read the installation
instructions and release notes located in this file.

Installation and Initialization
1. Double Click on the Hotfix010107 file for your version of
WatchGuard software:

For LSS v4.1 SP4 -- Hotfix010107LSS41.wls
For LSS v4.5 --  Hotfix010107LSS45.wls

2. Run the downloaded executable file and follow the installation
instructions.