Operational Defect Database
BugZero found this defect 2569 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3UWSAY
IKED process crash from malformed packets
Last update date:
5/8/2017
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.11.x
11.11
11.11.1
11.11.2
11.11.4
11.12.x
11.12
11.12.1
11.12.2
Fixed releases:
v11.12.2 Update 1
Description:
Issue
On 1 May 2017, WatchGuard began to receive reports of IKED, the process that handles IPSec VPN Tunnels, crashing on Firebox and XTM appliances running Fireware v11.11 and higher. WatchGuard engineering began an immediate investigation into the reports to identify the root cause. Ultimately, we discovered the crash was caused while handling malformed IKEv2 SA packets sent by a research institute. When the IKED process crashes, IPSec Branch Office VPNs and Mobile VPNs with IPSec restart. Additionally, if the Firebox is part of a FireCluster, a failover event occurs.WatchGuard contacted the research institute and worked with them to remove the malformed IKEv2 SA packet from their scanning script. Additionally, WatchGuard has modified the IKE SA validation process on the Firebox to drop malformed packets in the Fireware v11.12.2 Update 1 release.
Workaround/Solution
Administrators can add the source of the malformed IKEv2 SA packets (158.130.6.191) to the Blocked Sites list on the Firebox. See this product documentation link for instructions on how to add an IP address to the Blocked Sites list
