Operational Defect Database
BugZero found this defect 2028 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3aUSAQ
Mapping of local domain names to IP addresses unintentionally exposed to hosts on internal networks
Last update date:
11/7/2018
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.1.x
12.1.1
12.1.3
12.2.x
Fixed releases:
All
Description:
Issue
In Fireware v12.1.1, v12.1.3, or v12.2, if you have DNSWatch enforcement enabled, and if you enable DNS Forwarding on an interface, users on other interfaces for which DNS Forwarding is not enabled could learn how local domain names are mapped to local IP addresses on your network. Malicious users could gather this information to map your network. For example, your network has this configuration: Your Firebox is configured with more than one internal networkNetwork A on the eth1 interface is a trusted network used by company employeesNetwork B on the eth2 interface is a less trusted network such as a wireless guest hotspot or an optional network used as a DMZA local DNS server is on eth1DNS Forwarding is enabled on eth1 only and there are rules for local domains definedDNSWatch is enabled and enforced on all interfacesA computer on eth1 is configured to use the local DNS server through DHCPA computer on eth2 is configured to use a public DNS server through DHCP A user on eth2 could send queries to the local DNS server on eth1 and receive replies. For example, the user could try to guess a local domain name or configure DNS queries to be sent to the Firebox IP address. These queries are sent to the local DNS server on eth1 instead of to DNSWatch.
Workaround/Solution
This issue was resolved in Fireware v12.2.1. In Fireware v12.2.1 or higher, for the configuration example in this article,queries by computers on eth2 for local resources on eth1 are forwarded to DNSWatch where the query fails.
