Search This Blog

Powered by Blogger.

Blog Archive

Labels

WatchGuard Firewall Exploit Threatens Appliance Takeover

Users are advised to remove their administration interface from the internet, and make sure they keep their systems up to date.

 

WatchGuard has fixed multiple vulnerabilities in two major firewall brands, ranging in severity from medium to critical. Two of the flaws, when combined, permitted Ambionics security engineer Charles Fol to gain pre-authentication remote root on any WatchGuard Firebox or XTM appliance. 

Both the Firebox and XTM product lines were implicated in a number of hacking attacks earlier this year, with Russian state-sponsored threat actor Sandworm exploiting a privilege escalation vulnerability to build the Cyclops Blink botnet, which was shut down in April. 

WatchGuard released three firmware updates over a four-month period, patching a number of critical vulnerabilities.

Complete access as root

Fol told The Daily Swig, “By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root. This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Fol believes that as a result of the numerous security alerts generated during his research, including those relating to Cyclops Blink, fewer WatchGuard users now have their administration interface exposed on the internet.

"The first vulnerability, Xpath, is accessible through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances," he said.

He recommends that users remove their administration interface from the internet and keep their systems up to date. Fol stated that he reported the flaws at the end of March and received a prompt response. A month later, the security team at WatchGuard confirmed that a patch would be available on June 21.

Share it:

Bugs

Critical Flaws

Firewall

Flaws

Safety

Security

Vulnerabilities and Exploits