|
|
|
|
| |
WatchGuard SOHO is an appliance firewall device targeted at small to mid-sized companies that wish to connect their network to the Internet. The ISS X-Force discovered the following vulnerabilities in the SOHO Firewall that may allow an attacker to compromise or deny service to the device:
1. Weak Authentication
2. GET Request Buffer Overflow
3. Fragmented IP Packet Attack
4. Password Reset Using POST Operation |
| |
Credit:
The information has been provided by X-Force.
|
| |
Affected Versions:
WatchGuard SOHO Firewall with Firmware 1.6.0
WatchGuard SOHO Firewall with Firmware 2.1.3 (Issue 4 only)
Immune systems:
WatchGuard SOHO Firewall with Firmware 2.2.1
Impact:
These vulnerabilities could allow a remote attacker to gain access to the administrative functions of the firewall without authenticating, crash the configuration server, or cause the device to stop accepting network traffic.
Description:
1. Weak Authentication
By default, WatchGuard SOHO firewalls spawn an HTTP-compliant Web server that is used to configure the device from a standard Web browser. The service listens for connections originating from the private network since many of the configuration options are sensitive to the network's security. To protect the configuration server from unauthorized tampering from the private network, the administrator can enable a username and password that must be used to access the server. However, this authentication is only enforced on the HTML interface used to control the firewall, not on the objects that actually implement the various features.
An attacker can directly request these objects and change the administrative password or reboot the firewall without knowledge of the username or password.
2. GET Request Buffer Overflow
An excessively long GET request to the Web server causes the WatchGuard SOHO configuration server to crash, requiring a reboot to regain functionality. X-Force has not yet determined if this vulnerability could be leveraged to execute arbitrary code. However, this buffer overflow does not yield any additional access beyond what can be obtained from the weak authentication vulnerability.
3. Fragmented IP packet attack
A large volume of fragmented IP packets directed at the SOHO firewall exhausts the device's resources, causing it to stop forwarding packets between interfaces and drop all connections. Rebooting the device is the only means to restore connectivity between the private and public networks.
4. Password Reset using POST Operation
WatchGuard SOHO firmware 2.1.3 allows an administrator to set a password, which is required to access the configuration server's HTML interface as well as the underlying objects that implement the various configuration options. However, making a blank unauthenticated request to the /passcfg object will remove the password, allowing access to any of the administrative functions without the username/password combination.
Recommendations:
WatchGuard recommends upgrading to version 2.2.1 to eliminate these vulnerabilities.
Latest versions of WatchGuard can be accessed at:
http://bisd.watchguard.com/SOHO/Downloads/swupdates.asp
|
|
|
|
|
|
|
|
|
|
