Bugtraq mailing list archives
Watchguard Firewall Elevated Privilege Vulnerability
From: Philip J Lewis <Phil () SECURENETWORKING CO UK>
Date: Sat, 20 Jan 2001 18:52:56 +0000
I have found that the embedded Linux-based Watchguard Firebox II Firewall product range is vulnerable to read-write access using only a read-only passphrase. This gives a read-only user the ability to make changes to the firewall remotely without either authorization or a read-write passphrase. The risk is remote firewall compromise. Firewalls at Risk ----------------- Platforms tested (other Watchguard firewalls may also be vulnerable): Watchguard FireboxII Watchguard FireboxII+ Watchguard FireboxII Fast VPN Firmware Versions (previous versions, including MSS, may also be vulnerable): LSS version 4.0 until 4.5 inclusive. Exploit Method -------------- The method of exploit involves the using the supplied watchguard configuration tools/libraries and using their library functions to make an SSL connection to the firebox via TCP/IP. You must authenticate using the read-only passphrase and issue the MPF command (Watchguard's proprietary firewall software, 'Mazama Packet Filter') to get a binary file from the flash filesystem on the firebox. Retrieve the file called '/var/lib/mpf/keys.gz'. This contains the hashed read-only and read-write passphrases in gziped format. It is not important to decrypt these keys as these are sent to the firebox in exactly this hashed format when authenticating an SSL connection anyway. This read-write hashed passphrase can then be used with the MPF library to authenticate and write files to that particular firewall such as a modified configuration or issue commands to reboot the firewall. Suggested Fix ------------- To minimize the risk of such an attack Watchguard Firewall administrators should make sure that they do not use a 'weak' read-only password and that the configuration port rule on the firewall will only allow incoming connections from trusted IPs/users. Apply the vendor hotfix below. Vendor Hotfix ------------- The vendor promptly responded with a Hotfix (attached below). It can be downloaded by registered Live Security System subscribers from: https://www.watchguard.com/esupport.htm The patch is called: 'Hotfix 010107' Philip J. Lewis Networking Consultant, Secure Networking Ltd. Tel: +44 (0) 7887 955 981, Fax: +44 (0) 1189 841 957 PGP keyid: 0x1A8C0AFA (http://pgp.mit.edu) --------------- Vendor Advisory -------------- From: lsalerts () watchguard com Date: Thu, 18 Jan 2001 18:35:20 Pacific Standard Time Subject: New Alert from LiveSecurity WatchGuard LiveSecurity System A new Threat Response is available on your LiveSecurity Service. To download this Threat Response, log in to your LiveSecurity Service and click on the appropriate download link in the LiveSecurity System Software section. ======= Installation Instructions: Please print these instructions for reference. Hotfix 010107 Release Notes Overview This Threat Response addresses a security vulnerability for the WatchGuard Firebox by preventing access to insecure files within the Firebox itself. It contains WatchGuard Hotfix 010107. This Hotfix does not include the components from previous Hotfixes. You should install all previous Hotfixes before you install Hotfix 010107. If you have any questions regarding this installation, please contact WatchGuard Technical Support at +206.521.8375 or via the Web at <https://www.watchguard.com/esupport.htm>. Contents of this Hotfix This Hotfix provides more stringent protection against insecure file access on the Firebox. Installing this modification gives the Firebox a much more robust defense against certain file access-related activities aimed at a privilege elevation attack. This Hotfix secures certain restricted files (not required by the user for proper operation of the Firebox) to increase stability and decrease the opportunity for a potential attack. WatchGuard wishes to acknowledge and thank Philip J. Lewis of Secure Networking Limited for his assistance in the development of this Hotfix. Before installing this software, please read the installation instructions and release notes located in this file. Installation and Initialization 1. Double Click on the Hotfix010107 file for your version of WatchGuard software: For LSS v4.1 SP4 -- Hotfix010107LSS41.wls For LSS v4.5 -- Hotfix010107LSS45.wls 2. Run the downloaded executable file and follow the installation instructions.
Current thread:
- Watchguard Firewall Elevated Privilege Vulnerability Philip J Lewis (Jan 22)