Penetration Testing mailing list archives
Re: [PEN-TEST] Watchguard firebox II
From: Dom De Vitto <dom () DEVITTO COM>
Date: Thu, 14 Dec 2000 23:11:45 -0000
ISS just released an advisory, funny that: -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory December 14, 2000 Multiple vulnerabilities in the WatchGuard SOHO Firewall Synopsis: WatchGuard SOHO is an appliance firewall device targeted at small to mid-sized companies that wish to connect their network to the Internet. ISS X-Force discovered the following vulnerabilities in the SOHO Firewall that may allow an attacker to compromise or deny service to the device: 1. Weak Authentication 2. GET Request Buffer Overflow 3. Fragmented IP Packet Attack 4. Password Reset Using POST Operation Impact: These vulnerabilities could allow a remote attacker to gain access to the administrative functions of the firewall without authenticating, crash the configuration server, or cause the device to stop accepting network traffic. Affected Versions: WatchGuard SOHO Firewall with Firmware 1.6.0 WatchGuard SOHO Firewall with Firmware 2.1.3 (Issue 4 only) Description: 1. Weak Authentication By default, WatchGuard SOHO firewalls spawn an HTTP-compliant Web server that is used to configure the device from a standard Web browser. The service listens for connections originating from the private network since many of the configuration options are sensitive to the network's security. To protect the configuration server from unauthorized tampering from the private network, the administrator can enable a username and password that must be used to access the server. However, this authentication is only enforced on the HTML interface used to control the firewall, not on the objects that actually implement the various features. An attacker can directly request these objects and change the administrative password or reboot the firewall without knowledge of the username or password. 2. GET Request Buffer Overflow An excessively long GET request to the Web server causes the WatchGuard SOHO configuration server to crash, requiring a reboot to regain functionality. X-Force has not yet determined if this vulnerability could be leveraged to execute arbitrary code. However, this buffer overflow does not yield any additional access beyond what can be obtained from the weak authentication vulnerability. 3. Fragmented IP packet attack A large volume of fragmented IP packets directed at the SOHO firewall exhausts the device's resources, causing it to stop forwarding packets between interfaces and drop all connections. Rebooting the device is the only means to restore connectivity between the private and public networks. 4. Password Reset using POST Operation WatchGuard SOHO firmware 2.1.3 allows an administrator to set a password, which is required to access the configuration server's HTML interface as well as the underlying objects that implement the various configuration options. However, making a blank unauthenticated request to the /passcfg object will remove the password, allowing access to any of the administrative functions without the username/password combination. Recommendations: WatchGuard recommends upgrading to version 2.2.1 to eliminate these vulnerabilities. Latest versions of WatchGuard can be accessed at: http://bisd.watchguard.com/SOHO/Downloads/swupdates.asp The ISS SAFEsuite assessment software, Internet Scanner, will be updated to detect these vulnerabilities in an upcoming X-Press Update. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2000-0894 Weak authentication and Password Reset using POST Operation CAN-2000-0895 GET Request Buffer Overflow CAN-2000-0896 Fragmented IP packet attack Credits: This vulnerability was discovered and researched by Steven Maks and Keith Jarvis of ISS. Internet Security Systems would like to thank WatchGuard Technologies Inc. for their response and handling of these vulnerabilities. _____ About Internet Security Systems (ISS) Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX) is the leading global provider of security management solutions for the Internet. By combining best of breed products, security management services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security advisor for thousands of organizations around the world looking to protect their mission critical information and networks. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce () iss net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce () iss net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOjj2pTRfJiV99eG9AQG/3QQAqBCd1MaYL9GPK+ua+FB6p+bV0rBCGJ0G NzQsR2/wF4rw3eATM6CGN6uOUOzDKZOFtFvRxtsrHd08j+aPRHuIKJCAr6oJwbaH I4l+Xf+22RmpkSzKjGc/RDbH8lR+uqW4JlBowD22hP+BMjxG8tB4RuaIR7wz/bH7 q+ZFxiceCsM= =vK9U -----END PGP SIGNATURE----- | -----Original Message----- | From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf | Of Skinner, Tim L. | Sent: 11 December 2000 16:22 | To: PEN-TEST () SECURITYFOCUS COM | Subject: [PEN-TEST] Watchguard firebox II | | | Hi, | | I am about to pen-test a watchguard firebox II firewall and I have never | worked on one of those before. Does anyone out there know of common | exploits or problems with these things?
Current thread:
- [PEN-TEST] Watchguard firebox II Skinner, Tim L. (Dec 13)
- Re: [PEN-TEST] Watchguard firebox II Alex Butcher (Dec 14)
- Re: [PEN-TEST] Watchguard firebox II Axel Dunkel (Dec 14)
- Re: [PEN-TEST] Watchguard firebox II Talisker (Dec 14)
- Re: [PEN-TEST] Watchguard firebox II Dom De Vitto (Dec 15)
- <Possible follow-ups>
- [PEN-TEST] Watchguard firebox iI Waters, Simon (Dec 13)
- Re: [PEN-TEST] Watchguard firebox II Steve Fallin (Dec 16)
- Re: [PEN-TEST] Watchguard firebox II Alex Butcher (Dec 14)