[ SOURCE: http://www.secureroot.com/security/advisories/9768335866.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Overview: On September 13, ISS advised WatchGuard of three suspected vulnerabilities in older versions (prior to 2.2) of software running on WatchGuard's SOHO Firebox product. They later reported a fourth vulnerability. The vulnerabilities are: 1. Inappropriately accessing configuration files using the HTTP configuration server (affects releases prior to 2.1.3) 2. A possible buffer overflow - arbitrary code might be executed by applying an excessively long HTTP GET request (affects releases prior to 2.1.3) 3. DoS could be induced by flooding the SOHO with fragmented packets (affects release 1.6.0 and previous) 4. SOHO password can be reset using a POST operation without authentication (affects releases prior to 2.2.0) All the items were addressed in previous releases of the software and are no longer issues. The currently shipping version of the SOHO software is 2.2.1. Current LiveSecurity subscribers are automatically sent new versions of software as the software becomes available. In addition, the most current version of the software is always posted on our Web site. All LiveSecurity subscribers should be running the most current version of the software to maintain the highest level of protection. Analysis: 1. Inappropriate Access via HTTP Vulnerability. ISS found the SOHO responded to HTTP requests (such as 192.168.111.1/secret.dat to access the file secret.dat). The SOHO only honors HTTP requests from inside the trusted LAN network. Outsiders could not exploit this vulnerability. This vulnerability was verified and corrected in Release 2.1.3. Release 2.1.3 was broadcast to all current subscribers in mid-September and has been available on our Web site since then. 2. Applying Long HTTP GET Requests. The way memory is architected in the SOHO, we do not believe that this exploit could be used to run arbitrary code. We believe that the potential damage caused by this attack would be a Denial of Service by crashing the administration server, requiring a reboot. Again, this vulnerability could only be exploited inside the trusted LAN. This vulnerability was verified and corrected in Release 2.1.3. Release 2.1.3 was broadcast to all current subscribers in mid-September and has been available on our Web site since then. 3. DoS from Flooding a SOHO with Fragmented Packets. We were able to reproduce this problem with version 1.6.0. 1.6.0 stopped shipping in early August. The issue does not exist in any 2.x release. All LiveSecurity subscribers would have updated their SOHOs to a 2.x release long before this vulnerability was reported. 4. SOHO Password Reset Using a POST Operation without Authentication. The SOHO only honors HTTP requests from inside the trusted LAN network. Outsiders could not exploit this vulnerability. This vulnerability was verified and corrected in Release 2.2. Release 2.2 was broadcast to all current subscribers in mid-November and has been available on our Web site since then. To reiterate, all the items were addressed in previous releases of the software and are no longer issues. The currently shipping version of the SOHO software is 2.2.1. Current LiveSecurity subscribers are automatically sent new versions of software as the software becomes available. In addition, the most current version of the software is always posted on our Web site. All LiveSecurity subscribers should be running the most current version of the software to maintain the highest level of protection. Sincerely, Steve Fallin Director, Rapid Response Team WatchGuard Technologies, Inc. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOjgJSE3Vi9lbkWzpEQKW5QCg+dM6D3c5ya8pPxTmjSPGCdrmq0EAnihX Yc1KXFTdTMY+aqeuN3Er+f+n =tpgB -----END PGP SIGNATURE-----