OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundl_at_kpmg.dk)
Date: Tue Jul 09 2002 - 07:57:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

    Title: Watchguard Firebox Dynamic VPN Configuration Protocol DoS

    BUG-ID: 2002030
    Released: 9th Jul 2002
    --------------------------------------------------------------------

    Problem:
    ========
    A malicious user can crash the Dynamic VPN Configuration Protocol
    service (DVCP) by sending a malformed packet to the listener service
    on TCP port 4110.

    Vulnerable:
    ===========
    - Watchguard Firebox firmware v5.x.x

    Not Vulnerable:
    ===============
    - Watchguard Firebox firmware v6.0.b1140

    Product Description:
    ====================
    Quoted from the vendor webpage:

    "The WatchGuard® Firebox System is a powerful security solution that
     gives small and medium sized businesses, central offices, and VPN
     hubs integrated firewall protection and VPN support."

    "About DVCP
     DVCP is a WatchGuard client server protocol that securely transmits
     IPSec VPN configuration information to WatchGuard Fireboxes. Network
     administrators use WatchGuard software to define each configuration
     aspect of the VPN, such as encryption algorithms and how often keys
     will be negotiated, then the settings are stored on a centrally
     located DVCP Server.When a Firebox is installed and initialized with
     software and instructions, a software client on the Firebox contacts
     the central DVCP server to obtain IPSec policy information using a
     secure protocol."

    Details:
    ========
    The DVCP service can be crashed using anywhere between 1 and 400
    packets of tab characters, followed by a CRLF. The firewall needs to
    be rebooted for the DVCP service to function again.

    Vendor URL:
    ===========
    You can visit the vendor webpage here: http://www.watchguard.com

    Vendor response:
    ================
    The vendor was notified on the 8th of May, 2002. On the 23rd of
    May, 2002 the vendor notified us that the issue would be resolved
    in the next version (6.x). On the 9th of July we verified that
    the problem was resolved in the new firmware version.

    Corrective action:
    ==================
    Upgrade to firmware version 6.x, available at the livesecurity
    website. If you are not a subscriber to the livesecurity service,
    please contact Watchguard support further assistance.

    Authors:
    Andreas Sandor (asandorkpmg.dk)
    Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------