OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Philip J Lewis (PhilSECURENETWORKING.CO.UK)
Date: Sat Jan 20 2001 - 12:52:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have found that the embedded Linux-based Watchguard Firebox II
    Firewall product range is vulnerable to read-write access using only a
    read-only passphrase. This gives a read-only user the ability to make
    changes to the firewall remotely without either authorization or a
    read-write passphrase. The risk is remote firewall compromise.

    Firewalls at Risk
    -----------------
    Platforms tested (other Watchguard firewalls may also be vulnerable):
    Watchguard FireboxII
    Watchguard FireboxII+
    Watchguard FireboxII Fast VPN

    Firmware Versions (previous versions, including MSS, may also be
    vulnerable):
    LSS version 4.0 until 4.5 inclusive.

    Exploit Method
    --------------
    The method of exploit involves the using the supplied watchguard
    configuration tools/libraries and using their library functions to make
    an SSL connection to the firebox via TCP/IP. You must authenticate using
    the read-only passphrase and issue the MPF command (Watchguard's
    proprietary firewall software, 'Mazama Packet Filter') to get a binary
    file from the flash filesystem on the firebox. Retrieve the file called
    '/var/lib/mpf/keys.gz'. This contains the hashed read-only and
    read-write passphrases in gziped format. It is not important to decrypt
    these keys as these are sent to the firebox in exactly this hashed
    format when authenticating an SSL connection anyway.
    This read-write hashed passphrase can then be used with the MPF library
    to authenticate and write files to that particular firewall such as a
    modified configuration or issue commands to reboot the firewall.

    Suggested Fix
    -------------
    To minimize the risk of such an attack Watchguard Firewall
    administrators should make sure that they do not use a 'weak' read-only
    password and that the configuration port rule on the firewall will only
    allow incoming connections from trusted IPs/users. Apply the vendor
    hotfix below.

    Vendor Hotfix
    -------------
    The vendor promptly responded with a Hotfix (attached below). It can be
    downloaded by registered Live Security System subscribers from:

    https://www.watchguard.com/esupport.htm

    The patch is called: 'Hotfix 010107'

    Philip J. Lewis
    Networking Consultant, Secure Networking Ltd.
    Tel: +44 (0) 7887 955 981, Fax: +44 (0) 1189 841 957
    PGP keyid: 0x1A8C0AFA (http://pgp.mit.edu)

    --------------- Vendor Advisory --------------
    From: lsalertswatchguard.com
    Date: Thu, 18 Jan 2001 18:35:20 Pacific Standard Time
    Subject: New Alert from LiveSecurity

    WatchGuard LiveSecurity System

    A new Threat Response is available on your LiveSecurity Service. To
    download this Threat Response, log in to your LiveSecurity Service and
    click on the appropriate download link in the LiveSecurity System
    Software section.

    =======
    Installation Instructions: Please print these instructions for
    reference.

    Hotfix 010107 Release Notes

    Overview
    This Threat Response addresses a security vulnerability for the
    WatchGuard Firebox by preventing access to insecure files within the
    Firebox itself. It contains WatchGuard Hotfix 010107. This Hotfix does
    not include the components from previous Hotfixes. You should install
    all previous Hotfixes before you install Hotfix 010107.

    If you have any questions regarding this installation, please contact
    WatchGuard Technical Support at +206.521.8375 or via the Web at
    <https://www.watchguard.com/esupport.htm>.

    Contents of this Hotfix
    This Hotfix provides more stringent protection against insecure file
    access on the Firebox. Installing this modification gives the Firebox
    a much more robust defense against certain file access-related
    activities aimed at a privilege elevation attack. This Hotfix secures
    certain restricted files (not required by the user for proper
    operation of the Firebox) to increase stability and decrease the
    opportunity for a potential attack.

    WatchGuard wishes to acknowledge and thank Philip J. Lewis of Secure
    Networking Limited for his assistance in the development of this
    Hotfix.

    Before installing this software, please read the installation
    instructions and release notes located in this file.

    Installation and Initialization
    1. Double Click on the Hotfix010107 file for your version of
    WatchGuard software:

    For LSS v4.1 SP4 -- Hotfix010107LSS41.wls
    For LSS v4.5 -- Hotfix010107LSS45.wls

    2. Run the downloaded executable file and follow the installation
    instructions.