Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Watchguard Firebox Authentication DoS
From: Peter Gründl (prgVIGILANTE.COM)
Date: Tue Aug 15 2000 - 05:58:32 CDT

Watchguard Firebox Authentication DoS

Advisory Code: VIGILANTE-2000005

Release Date:
August 15, 2000

Systems Affected:
Tested on the newest version of the Watchguard Firebox II (that was on the
22nd of June), but it is very likely that this bug exists in all prior
versions that include the authentication service (TCP port 4100).

Sending a malformed URL to the authentication service running on TCP port
4100, causes it to shut down and requires a reboot of the Watchguard for it
to work again.

Vendor Status:
Vendor was informed of the problem, and have been very cooperative in
getting a patch developed for the problem. According to the vendor the
problem is not caused by a buffer overflow.

Fix (quote from the vendor):
"all current WatchGuard LiveSecurity Subscribers have been
sent the Service Pack that addresses this issue. Copies of this
Service Pack can be downloaded from the WatchGuard LiveSecurity
Archive. To log into the archive, go to
http://www.watchguard.com/support. A work around that addresses the
vulnerability from the external interface is to disable Authentication
to the Firebox from the external interface. Upstream routers can also
be used to control access to this service if access to the
Authentication applet is required from the external interface and you
do not wish to install the patch. For obvious reasons, these are
sub-optimal solutions."

Vendor URL: http://www.watchguard.com
Product URL: http://www.watchguard.com/products/fIImss.asp

Copyright VIGILANTe 2000-08-15

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's

Please send suggestions, updates, and comments to:

mailto: infovigilante.com