OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundlkpmg.dk)
Date: Mon Jul 01 2002 - 04:01:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

    Title: Watchguard Soho FTP authentication flaw

    BUG-ID: 2002027
    Released: 01st Jul 2002
    --------------------------------------------------------------------

    Problem:
    ========
    A malicious user, with access to the internal network interface card
    would not have to know the username to log on to the FTP service,
    and could attempt to bruteforce the password and thus gain access
    to configuring the firewall.

    Vulnerable:
    ===========
    - Watchguard Soho Firewall, firmware 5.0.35a

    Details:
    ========
    Before going into detail with the problem, I would like to sum up
    some mitigating factors:

    - This attack could only be carried out by someone with access to
      the Trusted Network interface.
    - The attacker would still have to guess the password.
    - If you are using this firewall at home, this is not likely to
      be a problem for you.

    The problem is that the FTP service is enabled as per default,
    because it is used when the firmware is upgraded. The service
    gives the appearance of being protected both by a username and a
    password, but it is only necessary to know the correct password.
    If a user gains access to the FTP service, he/she has full control
    over the firewall configuration.

    To determine if you are vulnerable to this:

    ftp -n your.soho.firewall
    quote pass <your password>
    ls
    get wg.cfg
    quit

    Vendor URL:
    ===========
    You can visit the vendor webpage here: http://www.watchguard.com

    Vendor Response:
    ================
    This was reported to the vendor on the 6th of April, 2002. There is
    currently no scheduled release date for the next firmware version.

    Corrective action:
    ==================
    The FTP service is only used when you need to upgrade the firmware.
    So disable the FTP service, to prevent bruteforcing access to the
    configuration file:

    1) Log on to the firewall http management service
    2) Select "Firewall Options"
    3) Make sure there is a tick next to the field
       "Do not allow FTP access to Trusted Network interface"

    Author: Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------