Re: [PEN-TEST] Watchguard firebox II

[Steve Fallin <Steve.Fallin () WATCHGUARD COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dear Dom and Pen Testers,

Please also note our response.  What ISS does not state in their
affected versions section is that none of their issues involve current
code and that our product includes features to insure that all of our
customers stay current on the releases. For the sake of completeness,
I have appended a copy of the post we sent to Bugtraq. Please feel
free to contact me directly if you have any questions.

Sincerely,

Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc.


- ---Begin Release---
Overview:

On September 13, ISS advised WatchGuard of three suspected
vulnerabilities in older versions (prior to 2.2) of software  running
on WatchGuard's SOHO Firebox product. They later reported a fourth
vulnerability.  The vulnerabilities are:

1.      Inappropriately accessing configuration files using the HTTP
configuration server (affects releases prior to 2.1.3)

2.      A possible buffer overflow - arbitrary code might be executed
by applying an excessively long HTTP GET request (affects releases
prior to 2.1.3)

3.      DoS could be induced by flooding the SOHO with fragmented
packets (affects release 1.6.0 and previous)

4.      SOHO password can be reset using a POST operation without
authentication (affects releases prior to 2.2.0)

All the items were addressed in previous releases of the software and
are no longer issues.

The currently shipping version of the SOHO software is 2.2.1. Current
LiveSecurity subscribers are automatically sent notifications about
new versions of software as the software becomes available. In
addition, the most
current version of the software is always posted on our Web site. All
LiveSecurity subscribers should be running the most current version of
the software to maintain the highest level of protection.

Analysis:

1.      Inappropriate Access via HTTP Vulnerability.

ISS found the SOHO responded to HTTP requests (such as
192.168.111.1/secret.dat to access the file secret.dat).

The SOHO only honors HTTP requests from inside the trusted LAN
network. Outsiders could not exploit this vulnerability.

This vulnerability was verified and corrected in Release 2.1.3.
Release 2.1.3 was broadcast to all current subscribers in
mid-September and has been available on our Web site since then.

2.      Applying Long HTTP GET Requests.

The way memory is architected in the SOHO, we do not believe that this
exploit could be used to run arbitrary code. We believe that the
potential damage caused by this attack would be a Denial of Service by
crashing the administration server, requiring a reboot.

Again, this vulnerability could only be exploited inside the trusted
LAN.

This vulnerability was verified and corrected in Release 2.1.3.
Release 2.1.3 was broadcast to all current subscribers in
mid-September and has been available on our Web site since then.

3.      DoS from Flooding a SOHO with Fragmented Packets.

We were able to reproduce this problem with version 1.6.0. 1.6.0
stopped shipping in early August. The issue does not exist in any 2.x
release.

All LiveSecurity subscribers would have updated their SOHOs to a 2.x
release long before this vulnerability was reported.

4.      SOHO Password Reset Using a POST Operation without
Authentication.

The SOHO only honors HTTP requests from inside the trusted LAN
network. Outsiders could not exploit this vulnerability.

This vulnerability was verified and corrected in Release 2.2. Release
2.2 was broadcast to all current subscribers in mid-November and has
been available on our Web site since then.

To reiterate, all the items were addressed in previous releases of the
software and are no longer issues.

The currently shipping version of the SOHO software is 2.2.1. Current
LiveSecurity subscribers are automatically sent notifications about
new versions of software as the software becomes available. In
addition, the most
current version of the software is always posted on our Web site. All
LiveSecurity subscribers should be running the most current version of
the software to maintain the highest level of protection.


Sincerely,

Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOjqkyk3Vi9lbkWzpEQI+5QCeMd8d0ZLblhn9Zck+PLuYL8Z7z5cAoJOy
ODElZRrdI1tEquZjiuvjRpen
=6dGc
-----END PGP SIGNATURE-----


-----Original Message-----
From: Dom De Vitto [mailto:dom () DEVITTO COM]
Sent: Thursday, December 14, 2000 3:12 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Watchguard firebox II


ISS just released an advisory, funny that:

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
December 14, 2000

Multiple vulnerabilities in the WatchGuard SOHO Firewall

Synopsis:

WatchGuard SOHO is an appliance firewall device targeted at small
to mid-sized companies that wish to connect their network to the
Internet. ISS X-Force discovered the following vulnerabilities in the
SOHO Firewall that may allow an attacker to compromise or deny service
to the device:


1.      Weak Authentication
2.      GET Request Buffer Overflow
3.      Fragmented IP Packet Attack
4.      Password Reset Using POST Operation


Impact:

These vulnerabilities could allow a remote attacker to gain access to
the administrative functions of the firewall without authenticating,
crash the configuration server, or cause the device to stop accepting
network traffic.

Affected Versions:

WatchGuard SOHO Firewall with Firmware 1.6.0
WatchGuard SOHO Firewall with Firmware 2.1.3 (Issue 4 only)


Description:

1.      Weak Authentication
By default, WatchGuard SOHO firewalls spawn an HTTP-compliant Web
server that is used to configure the device from a standard Web
browser. The service listens for connections originating from the
private network since many of the configuration options are sensitive
to the network's security. To protect the configuration server from
unauthorized tampering from the private network, the administrator can
enable a username and password that must be used to access the server.
However, this authentication is only enforced on the HTML interface
used to control the firewall, not on the objects that actually
implement the various features.

An attacker can directly request these objects and change the
administrative password or reboot the firewall without knowledge of
the username or password.

2.      GET Request Buffer Overflow
An excessively long GET request to the Web server causes the
WatchGuard SOHO configuration server to crash, requiring a reboot to
regain functionality. X-Force has not yet determined if this
vulnerability could be leveraged to execute arbitrary code. However,
this buffer overflow does not yield any additional access beyond what
can be obtained from the weak authentication vulnerability.

3.      Fragmented IP packet attack
A large volume of fragmented IP packets directed at the SOHO firewall
exhausts the device's resources, causing it to stop forwarding packets
between interfaces and drop all connections. Rebooting the device is
the only means to restore connectivity between the private and public
networks.

4.      Password Reset using POST Operation
WatchGuard SOHO firmware 2.1.3 allows an administrator to set a
password, which is required to access the configuration server's
HTML interface as well as the underlying objects that implement the
various configuration options. However, making a blank unauthenticated
request to the /passcfg object will remove the password, allowing access
to any of the administrative functions without the username/password
combination.

Recommendations:

WatchGuard recommends upgrading to version 2.2.1 to eliminate these
vulnerabilities.

Latest versions of WatchGuard can be accessed at:
http://bisd.watchguard.com/SOHO/Downloads/swupdates.asp

The ISS SAFEsuite assessment software, Internet Scanner, will be
updated to detect these vulnerabilities in an upcoming X-Press Update.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2000-0894 Weak authentication and Password Reset using POST Operation
CAN-2000-0895 GET Request Buffer Overflow
CAN-2000-0896 Fragmented IP packet attack


Credits:

This vulnerability was discovered and researched by Steven Maks
and Keith Jarvis of ISS.  Internet Security Systems would like
to thank WatchGuard Technologies Inc. for their response and
handling of these vulnerabilities.

_____


About Internet Security Systems (ISS)

Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX) is the leading
global provider of security management solutions for the Internet. By
combining best of breed products, security management services,
aggressive research and development, and comprehensive educational and
consulting services, ISS is the trusted security advisor for thousands
of organizations around the world looking to protect their mission
critical information and networks.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce () iss net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOjj2pTRfJiV99eG9AQG/3QQAqBCd1MaYL9GPK+ua+FB6p+bV0rBCGJ0G
NzQsR2/wF4rw3eATM6CGN6uOUOzDKZOFtFvRxtsrHd08j+aPRHuIKJCAr6oJwbaH
I4l+Xf+22RmpkSzKjGc/RDbH8lR+uqW4JlBowD22hP+BMjxG8tB4RuaIR7wz/bH7
q+ZFxiceCsM=
=vK9U
-----END PGP SIGNATURE-----


 | -----Original Message-----
 | From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
 | Of Skinner, Tim L.
 | Sent: 11 December 2000 16:22
 | To: PEN-TEST () SECURITYFOCUS COM
 | Subject: [PEN-TEST] Watchguard firebox II
 |
 |
 | Hi,
 |
 | I am about to pen-test a watchguard firebox II firewall and I have never
 | worked on one of those before.  Does anyone out there know of common
 | exploits or problems with these things?