KPMG-2002008: Watchguard SOHO IP Restrictions Flaw

From: Peter Gründl (pgrundlat_private)
Date: Wed Apr 10 2002 - 04:54:11 PDT

Next message: Peter Gründl: "KPMG-2002009: Microsoft IIS W3SVC Denial of Service"

Previous message: Dave Aitel: "SPIKE version released that detects .HTR and ISAPI overflows (see spike.sourceforge.net)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------------------------------

            -=>Watchguard SOHO IP Restrictions Flaw<=-
                      courtesy of KPMG Denmark

BUG-ID: 2002008
Released: 10th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in the Watchguard SOHO firmware could allow malicious users
to access services set up with IP restrictions in your SOHO firewall


Vulnerable:
===========
- Watchguard SOHO Firewall, firmware 5.0.35


Details:
========
This vulnerability is a bit atypical, since it does not require any
actions from an attacker, but rather actions from the firewall
admin. However, we felt that the nature of this bug warrented the
release of an advisory.

V5.0.35 introduced a flaw that could, under certain circumstances
turn off IP restrictions on customised services. If a user had set
up IP restrictions prior to upgrading to 5.0.35 (which corrected
issues with TCP/IP handling on port-forwarding). The IP restrictions
could vanish from time to time, without any local indication that
the function had failed. To find out that IP restrictions mal-
functioned, the admin would have to access an external IP, and try
to access the IP restricted service.

If the IP restrictions fail, going into the custom service setup
and submitting the rule again (without altering it), will restore
functionality again, temporarily. Using other features of the
firewall admin console, such as logging, would result in the IP
restrictions malfunctioning again.


Vendor URL:
===========
You can visit the vendors webpage here: http://www.watchguard.com


Vendor response:
================
The vendor was contacted on the 6th of April, 2002. The vendor then
proceeded to pull the firmware from the website, and on the 10th of
April the vendor confirmed the issue and announced the availability
of a new firmware version, which corrects the issue.


Corrective action:
==================
Upgrade to firmware version 5.0.35a, available through Watchguard
Livesecurity.


Author: Peter Gründl (pgrundlat_private)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Next message: Peter Gründl: "KPMG-2002009: Microsoft IIS W3SVC Denial of Service"
Previous message: Dave Aitel: "SPIKE version released that detects .HTR and ISAPI overflows (see spike.sourceforge.net)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 14:53:00 PDT