Este sitio Web utiliza cookies propias y de terceros para realizar el análisis de navegación de los usuarios. Si continua navegando acepta el uso de cookies. Este sitio web es propiedad de Sidertia Solutions S.L., empresa responsable de su mantenimiento. Haga clic aquí para obtener más información acerca de nuestra política de Cookies.
Aceptar
es-ESen-US



BLOG DE SIDERTIA

Fixed the Fireware Vulnerabilities discovered by Sidertia

Escrito por David Fernández - 17 April 2017

Watchguard’s Firebox and XTM are a series of enterprise grade network security appliances providing advanced security services like next generation firewall, intrusion prevention, malware detection and blockage and others.

During a penetration test over the IT infrastructure of one of our clients, we discovered two vulnerabilities affecting the Web UI of Fireware, the operating system running on Watchguard Firebox and XTM appliances. The Web UI, which is used to manage the device, hosts a XML-RPC interface implementing different end points accepting XML messages to access different functionalities on the device (login, ping and others). To exploit any of the flaws discovered, no authentication on the Web UI is needed.


XML-RPC External Entity Expansion DoS


Versions Affected

Fireware v11.9 version was found to be vulnerable and vendor confirmed v11.12 Update 1 (latest when we reported to vendor) was vulnerable as well.


CVE Reference

As far as we know, no CVE has been requested for this vulnerability. Vendor assigned internal id 92867 to vulnerability and will release a knowledge Base article following this advisory.


Vendor Fix

Vendor fixed the vulnerability in their v11.12.2 release.


Vulnerability Type

Denial of service.


Description

While attempting to abuse the XML parser of the interface by mean of External Entity Expansion (XXE) attacks, we discovered that after repetitive attempts the XML-RPC agent crashes causing a severe disruption in the functionality and performance of the device.


Impact

On Fireware version v11.9, after a discrete number of injection attempts, the XML-RPC agent (wgagent) crashes and is not able to recover, causing a lockout in the Web UI which will be unavailable for ten minutes, thus making impossible to manage the firewall. Besides that, it causes either service interrupt or a serious degradation in performance in connections traversing the firewall (for example, RDP clients were unable to connect or did it in slow connection mode).

On Fireware version v11.12 Update 1, the agent recovers correctly after each crash, although by continuously executing the XXE attacks the negative effects on the device are the same than the ones observed in v11.9.


Proof of concept

Below is an example of one of the requests that, after several attempts, causes a crash in the XML-RPC agent:
XML-RPC External Entity Expansion DoS
A proof of concept tool exploiting the flaw targeting version v11.9 could be downloaded here.


XML-RPC User Enumeration


Versions Affected

Fireware v11.9 version was found to be vulnerable and vendor confirmed v11.12 Update 1 (latest when we reported to vendor) was vulnerable as well.


CVE Reference

As far as we know, no CVE has been requested for this vulnerability. Vendor assigned internal id 92884 to vulnerability and will release a knowledge base article following this advisory.


Vendor Fix

Vendor fixed the vulnerability in their v11.12.1 release.


Vulnerability Type

Information disclosure.


Description

When a login attempt is made directly over the login endpoint of the XML-RPC interface using a blank password, we discovered the response from the device was different for valid users in Web UI than for non-existing ones.


Impact

The flaw allows to enumerate existing users in the management interface of the device. The Web UI allows to use as user repository an internal database (Firebox-DB), Active Directory or a Radius server, although this flaw was only tested authenticating against Firebox-DB.


Proof of concept

Below is a response for an existing user login attempt with blank password in Firebox-DB:
XML-RPC User Enumeration
A difference is observed in the response for a non-existing user:
XML-RPC User Enumeration


SUSCRIBIRSE



ÚLTIMAS NOTICIASNoticias

  • lunes, 5 de agosto de 2019

    Fallecimiento de nuestro compañero Mariano

    Leer más...

  • viernes, 24 de mayo de 2019

    X1RedMasSegura

    Leer más...

  • miércoles, 24 de abril de 2019

    IX Jornada del Sistema de Alerta Temprana (SAT)

    Leer más...



ÚLTIMOS TWEETSTwitter





ARCHIVO



ETIQUETAS


NUESTRO PORTAFOLIO DE SERVICIOS

  • Consultoría Consultoría

    Servicios de consultoría especializada de la mano de profesionales altamente cualificados.

  • Formación Formación

    Reciba formación experta de calidad ajustada a sus necesidades.

  • Seguridad Seguridad TIC

    Sidertia Solutions le ayuda a implementar y mantener su modelo de seguridad.

  • Desarrollo Desarrollo

    Soluciones de desarrollo seguro para su empresa.


  • Microsoft Gold Partner
  • Citrix Gold Partner
  • CCN-CERT Entidad Acreditadora