Operational Defect Database
BugZero found this defect 1446 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000bofFSAQ
IPS rule 1136944 incorrectly denies RDP traffic over VPN
Last update date:
6/4/2020
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
In version 4.1048 of the Application Control/IPS signatures, IPS rule 1136944 causes a false positive which denies RDP traffic over a VPN tunnel. A message similar to this appears in the traffic logs: 2020-06-03 08:09:00 Deny rdp/tcp 56437 3389 3-WiFi 1-Trusted IPS detected 85 127 proc_id="firewall" rc="301" msg_id="3000-0150" tcp_info="offset 5 A 1682617796 win 1" signature_name="RDP Microsoft Remote Desktop Services Remote Code Execution Vul" signature_cat="Buffer Over Flow" signature_id="1136944" severity="3" Traffic
Workaround/Solution
Install version 4.1052 of the IPS signatures: If you have automatic signature updates enabled, version 4.1052 will install automatically.If you do not have automatic signature updates enabled, update IPS signatures manually. For more information, see Subscription Services Status and Manual Signatures Updates in Fireware Help. After version 4.1052 is installed, reboot the Firebox.
