Operational Defect Database
BugZero found this defect 156 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000bz5WSAQ
Traffic from access points managed in WatchGuard Cloud trigger Firebox IPS
Last update date:
12/21/2023
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
v18.296 and v4.1452
Description:
Issue
Traffic from access points managed by WatchGuard Cloud are triggering IPS signature ID "1232163" on WatchGuard Fireboxes with IPS (Intrusion Prevention Service) enabled. This recent signature protects against the vulnerability "WEB cURL and libcurl HTTP Response Headers Parsing Resource Exhaustion -2 (CVE-2023-38039) state 0". In the logs, you will see an entry similar to the following: 2023-12-15 12:56:16 Deny 172.20.0.202 142.251.33.99 http/tcp 36100 80 Trusted 64-External IPS detected 112 64 (HTTP-proxy-00) proc_id="firewall" rc="301" msg_id="3000-0150" src_ip_nat="203.0.113.136" tcp_info="offset 5 A 2749013571 win 62977" signature_name="WEB cURL and libcurl HTTP Response Headers Parsing Resource Exhaustion -2 (CVE-2023-38039) state 0" signature_cat="Web threats" signature_id="1232163" severity="3" sig_vers="18.295" geo_dst="USA"
Workaround/Solution
This traffic from the access point is a basic connectivity check to a Google domain and can be safely ignored or you can create an exception for the signature until the issue is resolved. WatchGuard is working with the signature vendor to correct or remove the signature because it might affect all devices that use libcurl. To create a signature exception in IPS, go to Configure IPS Exceptions in Help Center. To configure IPS signature updates, go to Configure IPS Update Server in Help Center.
