FYI. I'm amazed how many vulnerabilities have been found in Gauntlet, Checkpoint, and now Watchguard. If security companies can't write good secure code for a firewall, how are non-security companies like an e-business application builder going to write code securely? The security consulting companies that find the security vulnerabilities have their work cut out for them. No limit to the number of e-business applications that need security audits. Internet Security Systems Security Advisory November 14, 2000 Multiple vulnerabilities in the WatchGuard SOHO Firewall Synopsis: The WatchGuard SOHO is an appliance firewall device targeted at small to mid-sized companies that wish to connect their network to the Internet. ISS X-Force has discovered several vulnerabilities in the SOHO Firewall that may allow an attacker to compromise or deny service to the device: 1. Weak Authentication 2. GET Request Buffer Overflow 3. Fragmented IP Packet Attack Impact: The vulnerabilities could allow a remote attacker to gain access to the administrative functions of the firewall without authenticating, crash the configuration server, or cause the device to stop accepting network traffic. Platforms Affected: WatchGuard SOHO Firewall with Firmware through 1.6.x [pending: other products potentially affected] Description: 1. Weak Authentication WatchGuard SOHO firewalls by default spawn an HTTP-compliant Web server used to configure the device from a standard Web browser. Since many of the configuration options are sensitive to the network's security, the service by default only listens for connections originating from the private network. To protect the configuration server from unauthorized tampering from the private network, the administrator can enable a username and password that must be used to access the server. However, this authentication is only enforced on the HTML interface used to control the firewall, not on the objects that actually implement the various features. An attacker can directly request these objects and change the administrative password or reboot the firewall without knowing the username or password. 2. GET Request Buffer Overflow An excessively long GET request to the Web server crashes the WatchGuard SOHO configuration server, requiring a reboot to regain functionality. X-Force has not yet determined if this vulnerability could be leveraged to execute arbitrary code. However, this buffer overflow would not yield any additional access beyond what can be obtained from the weak authentication vulnerability. 3. Fragmented IP packet attack A large volume of fragmented IP packets directed at the SOHO firewall exhausts the device's resources, causing it to stop forwarding packets between interfaces and drop all connections. Rebooting the device is the only means to restore connectivity between the private and public networks. Recommendations: [fix information to be provided by WatchGuard] The ISS SAFEsuite assessment software, Internet Scanner, will be updated to detect this vulnerability in an upcoming X-Press Update. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2000-0894 Weak authentication CAN-2000-0895 GET Request Buffer Overflow CAN-2000-0896 Fragmented IP packet attack Credits: This vulnerability was discovered and researched by Steven Maks ([EMAIL PROTECTED]) and Keith Jarvis ([EMAIL PROTECTED]). Internet Security Systems would like to thank WatchGuard Technologies Inc. for their response and handling of this vulnerability. _____ _______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. - Kathy ---======----- --=========--- -============- --=========--- ---=======---- -------------- Free web-based email Performance Testing of your web site Only at: http://www.perfstat.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
