[VulnWatch] KPMG-2002027: Watchguard Soho FTP authentication flaw

From: Peter Gründl (pgrundl@kpmg.dk)
Date: 07/01/02 

From: Peter Gründl <pgrundl@kpmg.dk>
To: "vulnwatch" <vulnwatch@vulnwatch.org>
Date: Mon, 1 Jul 2002 11:01:14 +0200

--------------------------------------------------------------------

Title: Watchguard Soho FTP authentication flaw

BUG-ID: 2002027
Released: 01st Jul 2002
--------------------------------------------------------------------

Problem:
========
A malicious user, with access to the internal network interface card
would not have to know the username to log on to the FTP service,
and could attempt to bruteforce the password and thus gain access
to configuring the firewall.

Vulnerable:
===========
- Watchguard Soho Firewall, firmware 5.0.35a

Details:
========
Before going into detail with the problem, I would like to sum up
some mitigating factors:

- This attack could only be carried out by someone with access to
  the Trusted Network interface.
- The attacker would still have to guess the password.
- If you are using this firewall at home, this is not likely to
  be a problem for you.

The problem is that the FTP service is enabled as per default,
because it is used when the firmware is upgraded. The service
gives the appearance of being protected both by a username and a
password, but it is only necessary to know the correct password.
If a user gains access to the FTP service, he/she has full control
over the firewall configuration.

To determine if you are vulnerable to this:

ftp -n your.soho.firewall
quote pass <your password>
ls
get wg.cfg
quit

Vendor URL:
===========
You can visit the vendor webpage here: http://www.watchguard.com

Vendor Response:
================
This was reported to the vendor on the 6th of April, 2002. There is
currently no scheduled release date for the next firmware version.

Corrective action:
==================
The FTP service is only used when you need to upgrade the firmware.
So disable the FTP service, to prevent bruteforcing access to the
configuration file:

1) Log on to the firewall http management service
2) Select "Firewall Options"
3) Make sure there is a tick next to the field
   "Do not allow FTP access to Trusted Network interface"

Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Relevant Pages

  • Re: NT4, IIS4 FTP service. Yawn.
    ... This is because only the FTP service is installed: ... When you log into FTP anonymously, the following error message may occur: ... Password synchronization is a sub-authentication process used by Internet ...
    (Vuln-Dev)
  • Re: Unknown Network Attack
    ... I enabled the Windows Firewall and poked holes for HTTP, FTP, ... >> on the FTP service just fine using Internet Explorer's FTP service, ... >> how I can restore things. ...
    (microsoft.public.windows.server.networking)
  • Re: Unknown Network Attack
    ... I enabled the Windows Firewall and poked holes for HTTP, FTP, ... >> on the FTP service just fine using Internet Explorer's FTP service, ... >> how I can restore things. ...
    (microsoft.public.windows.server.networking)
  • Re: Yet another thread on the legality of port scanning
    ... Semantics - I was trying to stay within the scope of the previous ... which were straying wildly away from port scanning. ... and any FTP service running on that box ...
    (Security-Basics)
  • Re: ftp on different port than 21
    ... I have the firewall set to ... In that server I have ... | modifed the services to provide FTP service on the port. ...
    (comp.unix.sco.misc)