From pgrundl@kpmg.dk Mon Jul 1 12:49:55 2002 From: "[iso-8859-1] Peter Gründl" To: vulnwatch Date: Mon, 1 Jul 2002 11:01:14 +0200 Subject: [VulnWatch] KPMG-2002027: Watchguard Soho FTP authentication flaw [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: Watchguard Soho FTP authentication flaw BUG-ID: 2002027 Released: 01st Jul 2002 -------------------------------------------------------------------- Problem: ======== A malicious user, with access to the internal network interface card would not have to know the username to log on to the FTP service, and could attempt to bruteforce the password and thus gain access to configuring the firewall. Vulnerable: =========== - Watchguard Soho Firewall, firmware 5.0.35a Details: ======== Before going into detail with the problem, I would like to sum up some mitigating factors: - This attack could only be carried out by someone with access to the Trusted Network interface. - The attacker would still have to guess the password. - If you are using this firewall at home, this is not likely to be a problem for you. The problem is that the FTP service is enabled as per default, because it is used when the firmware is upgraded. The service gives the appearance of being protected both by a username and a password, but it is only necessary to know the correct password. If a user gains access to the FTP service, he/she has full control over the firewall configuration. To determine if you are vulnerable to this: ftp -n your.soho.firewall quote pass ls get wg.cfg quit Vendor URL: =========== You can visit the vendor webpage here: http://www.watchguard.com Vendor Response: ================ This was reported to the vendor on the 6th of April, 2002. There is currently no scheduled release date for the next firmware version. Corrective action: ================== The FTP service is only used when you need to upgrade the firmware. So disable the FTP service, to prevent bruteforcing access to the configuration file: 1) Log on to the firewall http management service 2) Select "Firewall Options" 3) Make sure there is a tick next to the field "Do not allow FTP access to Trusted Network interface" Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------