COMMAND
Watchguard Firewall
SYSTEMS AFFECTED
Watchguard Firewall
PROBLEM
Philip J Lewis has found that the embedded Linux-based Watchguard
Firebox II Firewall product range is vulnerable to read-write
access using only a read-only passphrase. This gives a read-only
user the ability to make changes to the firewall remotely without
either authorization or a read-write passphrase. The risk is
remote firewall compromise.
Platforms tested (other Watchguard firewalls may also be
vulnerable):
Watchguard FireboxII
Watchguard FireboxII+
Watchguard FireboxII Fast VPN
Firmware Versions (previous versions, including MSS, may also be
vulnerable): LSS version 4.0 until 4.5 inclusive.
The method of exploit involves the using the supplied watchguard
configuration tools/libraries and using their library functions
to make an SSL connection to the firebox via TCP/IP. You must
authenticate using the read-only passphrase and issue the MPF
command (Watchguard's proprietary firewall software, 'Mazama
Packet Filter') to get a binary file from the flash filesystem on
the firebox. Retrieve the file called '/var/lib/mpf/keys.gz'.
This contains the hashed read-only and read-write passphrases in
gziped format. It is not important to decrypt these keys as
these are sent to the firebox in exactly this hashed format when
authenticating an SSL connection anyway. This read-write hashed
passphrase can then be used with the MPF library to authenticate
and write files to that particular firewall such as a modified
configuration or issue commands to reboot the firewall.
To minimize the risk of such an attack Watchguard Firewall
administrators should make sure that they do not use a 'weak'
read-only password and that the configuration port rule on the
firewall will only allow incoming connections from trusted
IPs/users. Apply the vendor hotfix below.
SOLUTION
The vendor promptly responded with a Hotfix. It can be downloaded
by registered Live Security System subscribers from:
https://www.watchguard.com/esupport.htm
The patch is called: 'Hotfix 010107'