|
Vulnerability Watchguard Firewall Affected Watchguard Firewall Description Philip J Lewis has found that the embedded Linux-based Watchguard Firebox II Firewall product range is vulnerable to read-write access using only a read-only passphrase. This gives a read-only user the ability to make changes to the firewall remotely without either authorization or a read-write passphrase. The risk is remote firewall compromise. Platforms tested (other Watchguard firewalls may also be vulnerable): Watchguard FireboxII Watchguard FireboxII+ Watchguard FireboxII Fast VPN Firmware Versions (previous versions, including MSS, may also be vulnerable): LSS version 4.0 until 4.5 inclusive. The method of exploit involves the using the supplied watchguard configuration tools/libraries and using their library functions to make an SSL connection to the firebox via TCP/IP. You must authenticate using the read-only passphrase and issue the MPF command (Watchguard's proprietary firewall software, 'Mazama Packet Filter') to get a binary file from the flash filesystem on the firebox. Retrieve the file called '/var/lib/mpf/keys.gz'. This contains the hashed read-only and read-write passphrases in gziped format. It is not important to decrypt these keys as these are sent to the firebox in exactly this hashed format when authenticating an SSL connection anyway. This read-write hashed passphrase can then be used with the MPF library to authenticate and write files to that particular firewall such as a modified configuration or issue commands to reboot the firewall. To minimize the risk of such an attack Watchguard Firewall administrators should make sure that they do not use a 'weak' read-only password and that the configuration port rule on the firewall will only allow incoming connections from trusted IPs/users. Apply the vendor hotfix below. Solution The vendor promptly responded with a Hotfix. It can be downloaded by registered Live Security System subscribers from: https://www.watchguard.com/esupport.htm The patch is called: 'Hotfix 010107'