Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

WatchGuard firewall exploit threatens appliance takeover

WatchGuard has patched several vulnerabilities in two main firewall brands that have been rated between medium and critical severity.

In combination, two of the flaws allowed Ambionics security engineer Charles Fol to obtain pre-authentication remote root on every WatchGuard Firebox or XTM appliance.

Both the Firebox and XTM ranges were implicated earlier this year in a number of hacking attacks, with Russian state-sponsored threat actor Sandworm abusing a privilege escalation flaw in order to build a botnet called Cyclops Blink that was taken down in April. Over a four-month period, WatchGuard released three firmware updates, patching a number of critical vulnerabilities.

And, by coincidence, said Fol, this is when he started looking for exploitable bugs in firewalls for a red team engagement. He found five in the WatchGuard products, of which two were patched during his research, which is documented in a write-up published earlier this week.

The three remaining flaws were blind Xpath injection, allowing him to retrieve the configuration of a device, including master credentials; integer overflow, which allowed an attacker to execute malicious code on remote appliances; and a third vulnerability that meant it was possible to escalate privileges from a low-privilege user into root.

Complete access as root

“By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root,” Fol told The Daily Swig.

“This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera.

“The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Fol believes that fewer WatchGuard users now have their administration interface exposed on the internet, thanks to the many security alerts that were being generated at the time of his research, including those relating to Cyclops Blink.

However, he said, “the first vulnerability – Xpath – is reachable through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances.”

He advises users to remove their administration interface from the internet, and make sure they keep their systems up to date.

Fol said he reported the vulnerabilities at the end of March, and received a quick response. A month later, WatchGuard’s security team confirmed that a patch would be available on June 21.

Overall, he said, the disclosure was a “great, respectful process”.

Source: https://portswigger.net/daily-swig/watchguard-firewall-exploit-threatens-appliance-takeover

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO