SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Device (Encryption/VPN)  >  Firebox Series (WatchGuard) Vendors:  WatchGuard
WatchGuard Firebox VPN Management Function Can Be Crashed By Remote Users Sending Malformed Packets
SecurityTracker Alert ID:  1004729
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 9 2002
Impact:  Denial of service via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  KPMG
Version(s): Firmware 5.x.x
Description:  KPMG reported a denial of service vulnerability in WatchGuard Firebox in the Dynamic VPN Configuration Protocol (DVCP) service. A remote user can cause the DVCP service to crash.

It is reported that a remote user can send specially crafted packets to the DVCP service on TCP port 4110 to cause WatchGuard's proprietary DVCP VPN management daemon to crash. To trigger the vulnerability, the remote user must send between 1 and 400 packets of tab characters, followed by a CRLF.

After the service has crashed, the device must be rebooted for the DVCP service to return to normal operations.
Impact:  A remote user can cause the DVCP service to crash. A reboot is required to return to normal operations.
Solution:  The vendor has released a fixed version (6.x), available at WatchGuard's LiveSecurity website. If you are not a subscriber to the LiveSecurity service, contact the vendor for assistance.
Vendor URL:  www.watchguard.com/ (Links to External Site)
Cause:  Exception handling error
Reported By:  Peter Grundl <pgrundl@kpmg.dk>
Message History:   None.

 Source Message Contents
Date:  Tue, 9 Jul 2002 14:57:54 +0200
From:  Peter Gr ndl <pgrundl@kpmg.dk>
Subject:  [VulnWatch] KPMG-2002030: Watchguard Firebox Dynamic VPN Configuration Protocol DoS

 

--------------------------------------------------------------------

Title: Watchguard Firebox Dynamic VPN Configuration Protocol DoS

BUG-ID: 2002030
Released: 9th Jul 2002
--------------------------------------------------------------------

Problem:
========
A malicious user can crash the Dynamic VPN Configuration Protocol
service (DVCP) by sending a malformed packet to the listener service
on TCP port 4110.


Vulnerable:
===========
- Watchguard Firebox firmware v5.x.x

Not Vulnerable:
===============
- Watchguard Firebox firmware v6.0.b1140


Product Description:
====================
Quoted from the vendor webpage:

"The WatchGuard® Firebox System is a powerful security solution that
 gives small and medium sized businesses, central offices, and VPN
 hubs integrated firewall protection and VPN support."

"About DVCP
 DVCP is a WatchGuard client server protocol that securely transmits
 IPSec VPN configuration information to WatchGuard Fireboxes. Network
 administrators use WatchGuard software to define each configuration
 aspect of the VPN, such as encryption algorithms and how often keys
 will be negotiated, then the settings are stored on a centrally
 located DVCP Server.When a Firebox is installed and initialized with
 software and instructions, a software client on the Firebox contacts
 the central DVCP server to obtain IPSec policy information using a
 secure protocol."


Details:
========
The DVCP service can be crashed using anywhere between 1 and 400
packets of tab characters, followed by a CRLF. The firewall needs to
be rebooted for the DVCP service to function again.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.watchguard.com


Vendor response:
================
The vendor was notified on the 8th of May, 2002. On the 23rd of
May, 2002 the vendor notified us that the issue would be resolved
in the next version (6.x). On the 9th of July we verified that
the problem was resolved in the new firmware version.


Corrective action:
==================
Upgrade to firmware version 6.x, available at the livesecurity
website. If you are not a subscriber to the livesecurity service,
please contact Watchguard support further assistance.



Authors:
Andreas Sandor (asandor@kpmg.dk)
Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC