WatchGuard has been caught doing what a lot of first-timers to access control have done — simply hashing passwords as a means of implementing security — but perhaps all isn't that bad in the world.
Information security researcher Jérôme Nokin, who runs a blog on all the fun things you can do over IP, found that WatchGuard's firewall appliances are taking a bit of a shortcut when it comes to storing passwords.
It's the typical mistake of recognising that storing plain text passwords is a big no-no, but not going any further than simply hashing the password. In WatchGuard's case, it had been performing an NTLM hash of the password and that's it.
Some might recognise NTLM as being part of Microsoft's old security protocol suite that, these days, is no longer recommended by Redmond because it is so outdated. As Nokin also learned, an NTLM hash is simply the password converted to Unicode, then MD4 applied to it.
Microsoft is right to shun NTLM, as in 1995, Hans Dobbertin demonstrated that using a Pentium processor (which has far less processing power than can be found in a smartphone today), he could break MD4 in a matter of seconds.
His paper (PDF) into the cryptanalysis of the algorithm stated, "Where MD4 is still in use, it should be replaced!" The exclamation mark is his, despite this being in a paper submitted to the Journal of Cryptography. That's how strongly he felt about it.
Yet, here we are almost two decades later, and MD4 is still hanging around like a bad smell.
I said earlier that perhaps this isn't all that bad, and there's a good reason for it. The credentials that Nokin broke aren't actually for the management of the firewall appliance itself. As WatchGuard's director of security strategy and research Corey Nachreiner pointed out, they're used for an entirely different, and optional, purpose.
"Our devices offer the ability for you to create policies by user, not just by IP address. To do this, you have to set up authentication. In most cases, users choose to authenticate with their own internal Active Directory, LDAP, or Radius authentication server, in which case we don't store any credentials. However, we also offer the local FireboxDB database for small customers who don't have their own authentication server."
And the file that contains these credentials is only really accessible if you've gained access to the device itself.
"The configuration file is normally saved to the laptop/PC of the person who already knows the password anyway. Best practice would ensure that administrators take protective measures to stop unauthorised access to the WatchGuard management computer anyway, including complex passwords and the latest Microsoft authentication protocols. Communication between the management PC and the WatchGuard is secured with AES encryption, so even the hashed password is only used with encryption and cannot be 'sniffed'," a WatchGuard spokesperson told ZDNet.
Nachreiner also argued that although NTLM is showing its age, sufficiently strong passwords should offer reasonable protection. He defines a strong password as one that is a complex combination of 12 characters or more.
A strong password is the critical factor here, because as recently as December last year, Stricture Consulting Group CEO and security researcher Jeremi Gosney demonstrated that a specialised hash-cracking rig (PDF) could churn through 348 billion NTLM hashes per second. If only lower-case characters were used (thus breaking the complexity requirement), a password of up to 12 characters in length could take a few days to brute force. Granted, not everyone has a 25 GPU setup like Gosney, but Nokin claims he was able to run through 12.7 billion hashes per second on his own dual-GPU setup. A poorly constructed password susceptible to a dictionary attack will be easily broken.
Yes, the use of NTLM was a pretty dumb move, but, lucky for WatchGuard, I'd argue that the level of protection matches the risk. Nachreiner put it best when he said, "If an attacker already has enough access to the administrator machine you use to manage your network security appliance, you already have bigger problems." And that lastly, had an administrator picked good passwords to begin with, this would still be a non-issue.
Nevertheless, WatchGuard's engineers are now looking at implementing Dobbertin's advice from 1995 and Microsoft's recommendation by getting rid of NTLM/MD4 and replacing it with something more suitable.