|
Vulnerability Watchguard Firebox II Affected Watchguard Firebox II all versions prior to 4.6 Description Following is based on a Defcom Labs Advisory def-2001-18 by Andreas Sandor and Peter Grundl. This vulnerability makes it possible to force the Firebox into a condition where it stops responding to packets of a certain protocol after it has been sent large bursts of packets for that protocol. The Linux-based kernel in the Watchguard Firebox has problems handling certain types of malformed packets. If the firewall is subjected to a burst of around 10.000 of these packets, it will cause a kernel fault and either crash or reboot. Both TCP and ICMP are affected by this and the burstrate needed to achieve a kernel fault was about one megabit in our testlab, which isn't that uncommon these days. If the firewall manages to log the attack, the log file might look something like this: kernel: Unable to handle kernel paging request at virtual address c4000000 kernel: current->tss.cr3 = 03557000, %cr3 = 03557000 kernel: *pde = 00000000 kernel: Oops: 0000 kernel: CPU: 0 kernel: EIP: 0010:[<00186379>] kernel: EFLAGS: 00010206 kernel: eax: 8c807bd9 ebx: 636f7270 ecx: 07f65441 edx: ffffffff kernel: esi: 04000000 edi: 02ca8818 ebp: 02ca882c esp: 03be7f08 kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018 kernel: Process ifconfig (pid: 153, process nr: 6, stackpage=03be7000) kernel: Stack: 00000013 03049b98 00153ad4 02ca8840 ffffffff 00000000 09002d0a 02ca8818 kernel: 0000002e 03be7f80 00000013 02ca8848 0013f845 00000002 0013f9b9 03be7f88 kernel: 001a3e54 00000000 02ca8848 0019ca48 0019ca48 002af018 00000000 00000000 kernel: Call Trace: [<00153ad4>] [<0013f845>] [<0013f9b9>] [<001389d0>] [<001181f3>] [<0010a62f>] kernel: Code: 8b 1e 11 d8 8b 5e 04 11 d8 8b 5e 08 11 d8 8b 5e 0c 11 d8 8b kernel: Aiee, killing interrupt handler But most of the time the firewall just crashes without any indication of foul play in the log file. Even if the firewall crashes, some network related tasks will still function. Solution Obtaining version 4.6 requires membership of LiveSecurity. Information about LiveSecurity can be obtained from the vendor. After appling 4.6, this problem is gone.