You are hereWatchguard Fireware SSL-VPN Vulnerability
Watchguard Fireware SSL-VPN Vulnerability
Six months ago I discovered a huge vulnerability in the Watchguard SSL-VPN implementation. The consequences are quite important as, if exploited correctly, it is possible to perform arbitrary code execution on the victims machine.
For six months now I've been in contact with 'someone' from the Watchguard security team. He has promised me many times a date when the fix will be released. I'm still waiting for it...
In his last mail he said the fix was committed to the beta-team and I was going to be added to the beta-testers-list so I could try it out and play around with it. I'm still waiting to be added...
- I informed them privately of two important vulnerabilities.
- I accepted to keep the details about the fixed problem confidential as courtesy.
- I keep waiting for 6 months with many beautiful promises about a fix and access to the beta.
- I don't ask any money for these reports.
For ethical reasons I will not publish the full disclosure without the fix. But next time I find a leak in their products I might start thinking about selling it to the highest bidder.
PS: This is not related to this other problem that has already been fixed.
Edit: Mark told me another way, that gives less a blackmailing-feeling. It's kindly requesting the company to make a donation to a charity before giving them the information about the vulnerability in private. I think I'll do that next time.
Edit 2: Watchguard released a new version v10.2.3 fixing this huge problem. Quote Release Notes: The Mobile VPN with SSL client and gateway now protect against "Man in the Middle" attacks. The Mobile VPN with SSL gateway generates a self-signed x.509 certificate when an IP address is assigned to the external interface of the Firebox. This certificate is presented by the gateway the first time a v10.2.3 client connects. Because the certificate is self-signed, a warning message about an “un-trusted” certificate is presented to the user the first time they connect to the Firebox. The user is given the option to confirm the certificate as trusted and save the certificate locally. Accepting the certificate as “trusted” allows the SSL client to warn the user if the certificate changes to alert the user of a possible Man in the Middle attack. [27304].
Mark reminded me there is also another solution: Ask them to make a donation to a charity before giving them the information about the vulnerability.
I think I'll do that next time.