Apropos recent traffic on this list... > Date: Thu, 14 Dec 2000 11:43:56 -0500 (EST) > From: X-Force <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > > > > TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! > --------------------------------------------------------------------------- > > -----BEGIN PGP SIGNED MESSAGE----- > > Internet Security Systems Security Advisory > December 14, 2000 > > Multiple vulnerabilities in the WatchGuard SOHO Firewall > > Synopsis: > > WatchGuard SOHO is an appliance firewall device targeted at small > to mid-sized companies that wish to connect their network to the > Internet. ISS X-Force discovered the following vulnerabilities in the > SOHO Firewall that may allow an attacker to compromise or deny service > to the device: > > > 1. Weak Authentication > 2. GET Request Buffer Overflow > 3. Fragmented IP Packet Attack > 4. Password Reset Using POST Operation > > > Impact: > > These vulnerabilities could allow a remote attacker to gain access to > the administrative functions of the firewall without authenticating, > crash the configuration server, or cause the device to stop accepting > network traffic. > > Affected Versions: > > WatchGuard SOHO Firewall with Firmware 1.6.0 > WatchGuard SOHO Firewall with Firmware 2.1.3 (Issue 4 only) > > > Description: > > 1. Weak Authentication > By default, WatchGuard SOHO firewalls spawn an HTTP-compliant Web > server that is used to configure the device from a standard Web > browser. The service listens for connections originating from the > private network since many of the configuration options are sensitive > to the network's security. To protect the configuration server from > unauthorized tampering from the private network, the administrator can > enable a username and password that must be used to access the server. > However, this authentication is only enforced on the HTML interface > used to control the firewall, not on the objects that actually > implement the various features. > > An attacker can directly request these objects and change the > administrative password or reboot the firewall without knowledge of > the username or password. > > 2. GET Request Buffer Overflow > An excessively long GET request to the Web server causes the > WatchGuard SOHO configuration server to crash, requiring a reboot to > regain functionality. X-Force has not yet determined if this > vulnerability could be leveraged to execute arbitrary code. However, > this buffer overflow does not yield any additional access beyond what > can be obtained from the weak authentication vulnerability. > > 3. Fragmented IP packet attack > A large volume of fragmented IP packets directed at the SOHO firewall > exhausts the device's resources, causing it to stop forwarding packets > between interfaces and drop all connections. Rebooting the device is > the only means to restore connectivity between the private and public > networks. > > 4. Password Reset using POST Operation > WatchGuard SOHO firmware 2.1.3 allows an administrator to set a > password, which is required to access the configuration server's > HTML interface as well as the underlying objects that implement the > various configuration options. However, making a blank unauthenticated > request to the /passcfg object will remove the password, allowing access > to any of the administrative functions without the username/password > combination. > > Recommendations: > > WatchGuard recommends upgrading to version 2.2.1 to eliminate these > vulnerabilities. > > Latest versions of WatchGuard can be accessed at: > http://bisd.watchguard.com/SOHO/Downloads/swupdates.asp > > The ISS SAFEsuite assessment software, Internet Scanner, will be > updated to detect these vulnerabilities in an upcoming X-Press Update. > > Additional Information: > > The Common Vulnerabilities and Exposures (CVE) project has assigned > the following names to these issues. These are candidates for > inclusion in the CVE list (http://cve.mitre.org), which standardizes > names for security problems. > > CAN-2000-0894 Weak authentication and Password Reset using POST Operation > CAN-2000-0895 GET Request Buffer Overflow > CAN-2000-0896 Fragmented IP packet attack > > > Credits: > > This vulnerability was discovered and researched by Steven Maks > and Keith Jarvis of ISS. Internet Security Systems would like > to thank WatchGuard Technologies Inc. for their response and > handling of these vulnerabilities. > > _____ > > > About Internet Security Systems (ISS) > > Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX) is the leading > global provider of security management solutions for the Internet. By > combining best of breed products, security management services, > aggressive research and development, and comprehensive educational and > consulting services, ISS is the trusted security advisor for thousands > of organizations around the world looking to protect their mission > critical information and networks. > > Copyright (c) 2000 by Internet Security Systems, Inc. > > Permission is hereby granted for the redistribution of this Alert > electronically. It is not to be edited in any way without express > consent of the X-Force. If you wish to reprint the whole or any part > of this Alert in any other medium excluding electronic medium, please > e-mail [EMAIL PROTECTED] for permission. > > Disclaimer > > The information within this paper may change without notice. Use of > this information constitutes acceptance for use in an AS IS condition. > There are NO warranties with regard to this information. In no event > shall the author be liable for any damages whatsoever arising out of or in > connection with the use or spread of this information. Any use of this > information is at the user's own risk. > > X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as > well as on MIT's PGP key server and PGP.com's key server. > > Please send suggestions, updates, and comments to: X-Force > [EMAIL PROTECTED] of Internet Security Systems, Inc. > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3a > Charset: noconv > > iQCVAwUBOjj2pTRfJiV99eG9AQG/3QQAqBCd1MaYL9GPK+ua+FB6p+bV0rBCGJ0G > NzQsR2/wF4rw3eATM6CGN6uOUOzDKZOFtFvRxtsrHd08j+aPRHuIKJCAr6oJwbaH > I4l+Xf+22RmpkSzKjGc/RDbH8lR+uqW4JlBowD22hP+BMjxG8tB4RuaIR7wz/bH7 > q+ZFxiceCsM= > =vK9U > -----END PGP SIGNATURE----- ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************