COMMAND

    Watchguard Firewall

SYSTEMS AFFECTED

    Watchguard Firewall

PROBLEM

    Philip J Lewis has found that the embedded Linux-based  Watchguard
    Firebox  II  Firewall  product  range  is vulnerable to read-write
    access using only a read-only passphrase.  This gives a  read-only
    user the ability to make changes to the firewall remotely  without
    either  authorization  or  a  read-write  passphrase.  The risk is
    remote firewall compromise.

    Platforms  tested   (other  Watchguard   firewalls  may   also  be
    vulnerable):

        Watchguard FireboxII
        Watchguard FireboxII+
        Watchguard FireboxII Fast VPN

    Firmware Versions (previous versions,  including MSS, may also  be
    vulnerable): LSS version 4.0 until 4.5 inclusive.

    The method of exploit  involves the using the  supplied watchguard
    configuration tools/libraries  and using  their library  functions
    to make an  SSL connection to  the firebox via  TCP/IP.  You  must
    authenticate  using  the  read-only  passphrase  and issue the MPF
    command  (Watchguard's  proprietary  firewall  software,   'Mazama
    Packet Filter') to get a binary file from the flash filesystem  on
    the  firebox.   Retrieve  the  file called '/var/lib/mpf/keys.gz'.
    This contains the hashed  read-only and read-write passphrases  in
    gziped  format.   It  is  not  important  to decrypt these keys as
    these are sent to the  firebox in exactly this hashed  format when
    authenticating an SSL connection  anyway.  This read-write  hashed
    passphrase can then be used  with the MPF library to  authenticate
    and write  files to  that particular  firewall such  as a modified
    configuration or issue commands to reboot the firewall.

    To  minimize  the  risk  of  such  an  attack  Watchguard Firewall
    administrators should  make sure  that they  do not  use a  'weak'
    read-only password  and that  the configuration  port rule  on the
    firewall  will  only  allow  incoming  connections  from   trusted
    IPs/users.  Apply the vendor hotfix below.

SOLUTION

    The vendor promptly responded with a Hotfix. It can be  downloaded
    by registered Live Security System subscribers from:

        https://www.watchguard.com/esupport.htm

    The patch is called: 'Hotfix 010107'