COMMAND

    Watchguard Firebox II

SYSTEMS AFFECTED

    Watchguard Firebox II all versions prior to 4.6

PROBLEM

    Following  is  based  on  a  Defcom  Labs  Advisory def-2001-18 by
    Andreas  Sandor  and  Peter  Grundl.   This vulnerability makes it
    possible to  force the  Firebox into  a condition  where it  stops
    responding to packets of a certain protocol after it has been sent
    large bursts of packets for that protocol.

    The  Linux-based  kernel  in  the  Watchguard Firebox has problems
    handling certain types of malformed  packets.  If the firewall  is
    subjected to a  burst of around  10.000 of these  packets, it will
    cause a kernel fault and either crash or reboot.

    Both TCP and ICMP are affected by this and the burstrate needed to
    achieve a kernel fault was about one megabit in our testlab, which
    isn't that uncommon these days.

    If the firewall manages to log the attack, the log file might look
    something like this:

        kernel:  Unable to handle kernel paging request at virtual address c4000000
        kernel:  current->tss.cr3 = 03557000, %cr3 = 03557000
        kernel:  *pde = 00000000
        kernel:  Oops: 0000
        kernel:  CPU:    0
        kernel:  EIP:    0010:[<00186379>]
        kernel:  EFLAGS: 00010206
        kernel:  eax: 8c807bd9   ebx: 636f7270   ecx: 07f65441   edx: ffffffff
        kernel:  esi: 04000000   edi: 02ca8818   ebp: 02ca882c   esp: 03be7f08
        kernel:  ds: 0018   es: 0018   fs: 002b   gs: 002b   ss: 0018
        kernel:  Process ifconfig (pid: 153, process nr: 6, stackpage=03be7000)
        kernel:  Stack: 00000013 03049b98 00153ad4 02ca8840 ffffffff 00000000 09002d0a 02ca8818
        kernel:         0000002e 03be7f80 00000013 02ca8848 0013f845 00000002 0013f9b9 03be7f88
        kernel:         001a3e54 00000000 02ca8848 0019ca48 0019ca48 002af018 00000000 00000000
        kernel:  Call Trace: [<00153ad4>] [<0013f845>] [<0013f9b9>] [<001389d0>] [<001181f3>] [<0010a62f>]
        kernel:  Code: 8b 1e 11 d8 8b 5e 04 11 d8 8b 5e 08 11 d8 8b 5e 0c 11 d8 8b
        kernel:  Aiee, killing interrupt handler

    But  most  of  the  time  the  firewall  just  crashes without any
    indication of foul  play in the  log file.   Even if the  firewall
    crashes, some network related tasks will still function.

SOLUTION

    Obtaining  version  4.6   requires  membership  of   LiveSecurity.
    Information about  LiveSecurity can  be obtained  from the vendor.
    After appling 4.6, this problem is gone.