-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
December 14, 2000

Multiple vulnerabilities in the WatchGuard SOHO Firewall

Synopsis:

WatchGuard SOHO is an appliance firewall device targeted at small
to mid-sized companies that wish to connect their network to the
Internet. ISS X-Force discovered the following vulnerabilities in the
SOHO Firewall that may allow an attacker to compromise or deny service
to the device:


1.      Weak Authentication
2.      GET Request Buffer Overflow
3.      Fragmented IP Packet Attack
4.      Password Reset Using POST Operation


Impact:

These vulnerabilities could allow a remote attacker to gain access to
the administrative functions of the firewall without authenticating,
crash the configuration server, or cause the device to stop accepting
network traffic.

Affected Versions:

WatchGuard SOHO Firewall with Firmware 1.6.0
WatchGuard SOHO Firewall with Firmware 2.1.3 (Issue 4 only)


Description:

1.      Weak Authentication
By default, WatchGuard SOHO firewalls spawn an HTTP-compliant Web
server that is used to configure the device from a standard Web
browser. The service listens for connections originating from the
private network since many of the configuration options are sensitive
to the network's security. To protect the configuration server from
unauthorized tampering from the private network, the administrator can
enable a username and password that must be used to access the server.
However, this authentication is only enforced on the HTML interface
used to control the firewall, not on the objects that actually
implement the various features.

An attacker can directly request these objects and change the
administrative password or reboot the firewall without knowledge of
the username or password.

2.      GET Request Buffer Overflow
An excessively long GET request to the Web server causes the
WatchGuard SOHO configuration server to crash, requiring a reboot to
regain functionality. X-Force has not yet determined if this
vulnerability could be leveraged to execute arbitrary code. However,
this buffer overflow does not yield any additional access beyond what
can be obtained from the weak authentication vulnerability.

3.      Fragmented IP packet attack
A large volume of fragmented IP packets directed at the SOHO firewall
exhausts the device's resources, causing it to stop forwarding packets
between interfaces and drop all connections. Rebooting the device is
the only means to restore connectivity between the private and public
networks.

4.      Password Reset using POST Operation
WatchGuard SOHO firmware 2.1.3 allows an administrator to set a
password, which is required to access the configuration server's
HTML interface as well as the underlying objects that implement the
various configuration options. However, making a blank unauthenticated
request to the /passcfg object will remove the password, allowing access
to any of the administrative functions without the username/password
combination. 

Recommendations:

WatchGuard recommends upgrading to version 2.2.1 to eliminate these
vulnerabilities. 

Latest versions of WatchGuard can be accessed at:
http://bisd.watchguard.com/SOHO/Downloads/swupdates.asp

The ISS SAFEsuite assessment software, Internet Scanner, will be
updated to detect these vulnerabilities in an upcoming X-Press Update.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2000-0894 Weak authentication and Password Reset using POST Operation
CAN-2000-0895 GET Request Buffer Overflow
CAN-2000-0896 Fragmented IP packet attack


Credits:

This vulnerability was discovered and researched by Steven Maks
and Keith Jarvis of ISS.  Internet Security Systems would like 
to thank WatchGuard Technologies Inc. for their response and 
handling of these vulnerabilities.

_____


About Internet Security Systems (ISS)

Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX) is the leading
global provider of security management solutions for the Internet. By
combining best of breed products, security management services,
aggressive research and development, and comprehensive educational and
consulting services, ISS is the trusted security advisor for thousands
of organizations around the world looking to protect their mission
critical information and networks.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOjj2pTRfJiV99eG9AQG/3QQAqBCd1MaYL9GPK+ua+FB6p+bV0rBCGJ0G
NzQsR2/wF4rw3eATM6CGN6uOUOzDKZOFtFvRxtsrHd08j+aPRHuIKJCAr6oJwbaH
I4l+Xf+22RmpkSzKjGc/RDbH8lR+uqW4JlBowD22hP+BMjxG8tB4RuaIR7wz/bH7
q+ZFxiceCsM=
=vK9U
-----END PGP SIGNATURE-----