Severity: High
17 November, 2008
Summary:
- This vulnerability affects: Firebox X Edge 10.2.3 (and earlier versions)
- How an attacker exploits it: By entering a specially crafted username into the authentication page, or by manually visiting a specific URL
- Impact: A remote attacker can authenticate to your Edge without valid login credentials, in some cases gaining VPN access to your network
- What to do: Install 10.2.4 immediately
Exposure:
In order for you to verify that your users really are who they claim to be, the Firebox X Edge supports various types of user authentication. With user authentication configured, you can create URL filtering or VPN policies that permit or deny data traffic based on who someone is, rather than based on the IP address they come from. You also utilize user authentication when setting up mobile VPN access to your network. The Edge provides a secure HTTPS web page that allows your users to authenticate to your Edge.
Severity: High
17 November, 2008
Summary:
- This vulnerability affects: Firebox X Edge 10.2.3 (and earlier versions)
- How an attacker exploits it: By entering a specially crafted username into the authentication page, or by manually visiting a specific URL
- Impact: A remote attacker can authenticate to your Edge without valid login credentials, in some cases gaining VPN access to your network
- What to do: Install 10.2.4 immediately
Exposure:
In order for you to verify that your users really are who they claim to be, the Firebox X Edge supports various types of user authentication. With user authentication configured, you can create URL filtering or VPN policies that permit or deny data traffic based on who someone is, rather than based on the IP address they come from. You also utilize user authentication when setting up mobile VPN access to your network. The Edge provides a secure HTTPS web page that allows your users to authenticate to your Edge.
Unfortunately, the web-based authentication pages running on the Edge suffer from various authentication bypass vulnerabilities, some due to lack of input validation in the web application. By entering a specially crafted username into the authentication page, or by manually visiting a specific URL, an anonymous attacker can successfully authenticate to your Edge without valid login credentials.
When an attacker exploits this authentication bypass vulnerability, he essentially authenticates as a non-existent, “null” user. Any policies you’ve created using your real user accounts will not apply to this “null” user. By default, the “null” user gains no additional privileges to your Edge, or on your network.
However, the Edge ships with a pre-supplied user group called “default.” In its factory configuration, the “default” user group does not have any privileges that matter. But any settings you apply to the default user group will affect all of your Edge’s users, including the non-existent, “null” user. For instance, if you allow the “default” user group access to your Edge via Mobile SSL VPN, then an attacker could exploit this vulnerability to gain SSL VPN access to your network, even though the attacker doesn’t have valid login credentials. If you’ve given any privilege to the “default” user group, then this authentication bypass vulnerability poses a critical risk to your network
Solution Path:
Firebox X Edge System Software 10.2.4 fixes this vulnerability. You should download and install this new software update immediately.
FAQ:
Are any of WatchGuard’s other products affected?
No. To our knowledge, this authentication bypass vulnerability does not affect any other WatchGuard products. While the Firebox X Core and Peak devices use a similar authentication process, they do not suffer from this vulnerability.
What exactly is the vulnerability?
This is an authentication bypass vulnerability. If a remote attacker has access to your Firebox X Edge’s web-based authentication page, he can successfully authenticate to your Edge without valid user credentials. If you’ve configured the Edge’s “default” user group to allow SSL VPN access, any anonymous attacker could leverage this vulnerability to gain unauthorized access to your internal network. The authentication bypass vulnerability is present in Firebox X Edge devices running System Software version 10.2.3 and earlier. The authentication bypass flaw is NOT present in Firebox X Core and Peak class devices.
How serious is the vulnerability?
It is very serious. Depending on your configuration, successful exploitation could allow a remote, anonymous attacker unrestricted access to your protected network through a VPN tunnel. While the attacker would not gain control of the Firebox via this vulnerability, he could leverage his VPN access to directly attack your internal computers, unfettered from the Edge’s firewall policies.
Other than installing the hotfix, is there a workaround?
Yes. An attacker can only leverage this vulnerability if you’ve added additional privileges to your Edge’s “default” user group, or created any policies using the “default” user group. As long as you haven’t allowed any VPN access for the “default” user group, an attacker exploiting this authentication bypass vulnerability gains no additional access to your network.
To see whether or not you’ve added any privilege to the “default” user group, go to your Edge’s web-based management pages and click Firebox Users. Scroll down to Local Group Accounts and edit the “default” group account. Make sure to uncheck all the VPN settings, and ensure that you haven’t given the “default” user group administrative access to the Edge. If you previously relied on the “default” user group to give all your users VPN access, you can either create a new group comprised of your individual users and grant that group VPN access, or, you can add the VPN access to each user account manually.
Where can I go to get the hotfix?
The hotfix is currently available via the software download center on WatchGuard’s web site, labeled as Edge 10.2.4.
How was this vulnerability discovered?
This vulnerability was discovered by Thomas Martinkewitz and confidentially reported to WatchGuard. We thank Mr. Martinkewitz for working with us to keep our customers secure.
Do you have any indication that this vulnerability is being exploited in the wild?
No, at this time we have no indication that the vulnerability is being exploited in the wild.