Kathy,
<philosophical rant>IMHO, your questions/comments point to a greater
foundational problem. What's the integrity of the company? Which boils
down to the integrity of the individual who's writing the software. If the
individual is driven by output and release dates, then the software is not
going to be what it could be. In general, I've personally experienced the
slide of integrity from software/hardware/services folks (and also in other
areas like autos, etc.). How many people out there really care about
producing a product they can sign their names to?</philosophical rant>
I'm combating the problem personally by taking the courage to 'sign' my
work. If it stinks, so be it, I'll take the heat. Imagine what kind of
progress the tech community could be making if we all signed our work with
pride?
Trying to make a difference,
Michael Sorbera
Webmaster
P.S. and maybe if the marketing folks stopped calling a garbage man
something akin to a physicist, we'd have software/hardware that did what the
box said it would?
----- Original Message -----
From: "Kathy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 14, 2000 10:22 PM
Subject: Watchguard firewalls vulnerable
> FYI. I'm amazed how many vulnerabilities have been found in Gauntlet,
Checkpoint, and now Watchguard. If security companies can't write good
secure code for a firewall, how are non-security companies like an
e-business application builder going to write code securely?
>
> The security consulting companies that find the security vulnerabilities
have their work cut out for them. No limit to the number of e-business
applications that need security audits.
>
> Internet Security Systems Security Advisory
> November 14, 2000
>
> Multiple vulnerabilities in the WatchGuard SOHO Firewall
>
> Synopsis:
>
> The WatchGuard SOHO is an appliance firewall device targeted at small to
> mid-sized companies that wish to connect their network to the Internet.
> ISS X-Force has discovered several vulnerabilities in the SOHO Firewall
> that may allow an attacker to compromise or deny service to the device:
>
> 1. Weak Authentication
> 2. GET Request Buffer Overflow
> 3. Fragmented IP Packet Attack
>
> Impact:
>
> The vulnerabilities could allow a remote attacker to gain access to the
> administrative functions of the firewall without authenticating, crash the
> configuration server, or cause the device to stop accepting network
> traffic.
>
> Platforms Affected:
>
> WatchGuard SOHO Firewall with Firmware through 1.6.x
> [pending: other products potentially affected]
>
> Description:
>
> 1. Weak Authentication
> WatchGuard SOHO firewalls by default spawn an HTTP-compliant Web server
> used to configure the device from a standard Web browser. Since many of
> the configuration options are sensitive to the network's security, the
> service by default only listens for connections originating from the
> private network. To protect the configuration server from unauthorized
> tampering from the private network, the administrator can enable a
> username and password that must be used to access the server. However,
> this authentication is only enforced on the HTML interface used to control
> the firewall, not on the objects that actually implement the various
> features.
>
> An attacker can directly request these objects and change the
> administrative password or reboot the firewall without knowing the
> username or password.
>
> 2. GET Request Buffer Overflow
> An excessively long GET request to the Web server crashes the WatchGuard
> SOHO configuration server, requiring a reboot to regain functionality.
> X-Force has not yet determined if this vulnerability could be leveraged to
> execute arbitrary code. However, this buffer overflow would not yield any
> additional access beyond what can be obtained from the weak authentication
> vulnerability.
>
> 3. Fragmented IP packet attack
> A large volume of fragmented IP packets directed at the SOHO firewall
> exhausts the device's resources, causing it to stop forwarding packets
> between interfaces and drop all connections. Rebooting the device is the
> only means to restore connectivity between the private and public
> networks.
>
> Recommendations:
>
> [fix information to be provided by WatchGuard]
>
> The ISS SAFEsuite assessment software, Internet Scanner, will be updated
> to detect this vulnerability in an upcoming X-Press Update.
>
> Additional Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues. These are candidates for inclusion
> in the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
>
> CAN-2000-0894 Weak authentication
> CAN-2000-0895 GET Request Buffer Overflow
> CAN-2000-0896 Fragmented IP packet attack
>
>
> Credits:
>
> This vulnerability was discovered and researched by Steven Maks
> ([EMAIL PROTECTED]) and Keith Jarvis ([EMAIL PROTECTED]). Internet Security
> Systems would like to thank WatchGuard Technologies Inc. for their
> response and handling of this vulnerability.
>
> _____
>
> _______
>
>
> About Internet Security Systems (ISS)
> Internet Security Systems (ISS) is a leading global provider of security
> management solutions for the Internet. By providing industry-leading
> SAFEsuite security software, remote managed security services, and
> strategic consulting and education offerings, ISS is a trusted security
> provider to its customers, protecting digital assets and ensuring safe
> and uninterrupted e-business. ISS' security management solutions protect
> more than 5,500 customers worldwide including 21 of the 25 largest U.S.
> commercial banks, 10 of the largest telecommunications companies and
> over 35 government agencies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America and
> the Middle East. For more information, visit the Internet Security
> Systems web site at www.iss.net or call 888-901-7477.
>
> Copyright (c) 2000 by Internet Security Systems, Inc.
>
> - Kathy
>
> ---======-----
> --=========---
> -============-
> --=========---
> ---=======----
> --------------
>
>
>
> Free web-based email
> Performance Testing of your web site
> Only at: http://www.perfstat.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
