COMMAND

    WatchGuard SOHO Firewall

SYSTEMS AFFECTED

    WatchGuard SOHO Firewall 2.2 and prior

PROBLEM

    Following is  based on  Steve Fallin  post.   On September 13, ISS
    advised  WatchGuard  of  three  suspected vulnerabilities in older
    versions (prior to 2.2) of software  running on WatchGuard's  SOHO
    Firebox  product.   They  later  reported  a fourth vulnerability.
    The vulnerabilities are:

    1. Inappropriately  accessing configuration  files using  the HTTP
       configuration server (affects releases prior to 2.1.3)

       ISS  found  the  SOHO  responded  to  HTTP  requests  (such  as
       192.168.111.1/secret.dat to access  the file secret.dat).   The
       SOHO  only  honors  HTTP  requests  from inside the trusted LAN
       network.  Outsiders could not exploit this vulnerability.  This
       vulnerability was verified and corrected in Release 2.1.3.

    2. A possible buffer overflow  - arbitrary code might be  executed
       by  applying  an  excessively  long  HTTP  GET request (affects
       releases prior to 2.1.3)

       The way memory is architected in the SOHO, they do not  believe
       that this exploit  could be used  to run arbitrary  code.  They
       believe that the potential  damage caused by this  attack would
       be a Denial of  Service by crashing the  administration server,
       requiring a reboot.   Again, this vulnerability  could only  be
       exploited inside the trusted LAN.

    3. DoS  could  be  induced  by  flooding the SOHO with  fragmented
       packets (affects release 1.6.0 and previous)

       SOHO was  able to  reproduce this  problem with  version 1.6.0.
       1.6.0 stopped  shipping in  early August.   The issue  does not
       exist in any 2.x  release.  All LiveSecurity  subscribers would
       have updated  their SOHOs  to a  2.x release  long before  this
       vulnerability was reported.

    4. SOHO  password  can  be  reset  using a POST operation  without
       authentication (affects releases prior to 2.2.0)

       The SOHO only honors HTTP requests from inside the trusted  LAN
       network.   Outsiders  could  not  exploit  this  vulnerability.
       This vulnerability was verified  and corrected in Release  2.2.
       Release  2.2  was  broadcast  to  all  current  subscribers  in
       mid-November and has been available on our Web site since then.

SOLUTION

    All the items were addressed in previous releases of the  software
    and are no longer issues.   The currently shipping version of  the
    SOHO  software  is  2.2.1.   Current  LiveSecurity subscribers are
    automatically  sent  new  versions  of  software  as  the software
    becomes available.  In addition,  the most current version of  the
    software  is  always  posted  on  our  Web site.  All LiveSecurity
    subscribers  should  be  running  the  most current version of the
    software to maintain the highest level of protection.