Este sitio Web utiliza cookies propias y de terceros para realizar el análisis de navegación de los usuarios. Si continua navegando acepta el uso de cookies. Este sitio web es propiedad de Sidertia Solutions S.L., empresa responsable de su mantenimiento. Haga clic aquí para obtener más información acerca de nuestra política de Cookies.
Aceptar
es-ESen-US



BLOG DE SIDERTIA

Fixed Fireware XXE DOS and stored XSS vulnerabilities discovered by Sidertia

Escrito por David Fernández - 18 September 2017

Watchguard’s Firebox and XTM are a series of enterprise grade network security appliances providing advanced security services like next generation firewall, intrusion prevention, malware detection and blockage and others.

During a penetration test over the IT infrastructure of one of our clients, two vulnerabilities were discovered affecting the Web UI of Fireware OS, the operating system running on Watchguard Firebox and XTM appliances. The Web UI, which is used to manage the device, hosts a XML-RPC interface implementing different end points consuming XML messages to access different functionalities (login, ping and others). To exploit any of the flaws discovered, no previous authentication on the Web UI was needed.

XML-RPC Empty Member DoS

Versions Affected

Fireware OS versions below v12.0 were found to be vulnerable. 

CVE Reference

Vendor assigned internal id FBX-5312 to vulnerability and will release a knowledge Base article following this advisory.

Vendor Fix

Vendor fixed the vulnerability in their v12 release.

Description

If a login attempt is made in the XML-RPC interface with a XML message containing and empty member tag, the wgagent crashes logging out any user with a session opened in the UI. By continuously executing the failed logging attempts, the device will be impossible to be managed using the UI. It was not tested if this flaw causes similar lockout and degradation in connectivity like my previous CVE-2017-8056.

Proof of concept

Below is an example of the request that causes a crash in the XML-RPC wgagent:

Request_example

XML-RPC Username Stored Cross Site Scripting

Versions Affected

Fireware OS versions below v12.0 were found to be vulnerable.

CVE Reference

Vendor assigned internal id FBX-5313 to vulnerability and will release a knowledge Base article following this advisory.

Vendor Fix

Vendor fixed the vulnerability in their v12 release.

Description

When a failed login attempt is made to the login endpoint of the XML-RPC interface, if javascript code, properly encoded to be consumed by XML parsers, is embedded as value of the user tag, the code will be rendered in the context of any logged in user in the Web UI visiting “Traffic Monitor” sections “Events” and “All”. As a side effect, no further events will be visible in the Traffic Monitor until the device is restarted.

Proof of concept

Proof of concept Proof of concept 2


SUSCRIBIRSE



ÚLTIMAS NOTICIASNoticias

  • viernes, 22 de diciembre de 2017

    Sidertia Solutions en las XI Jornadas STIC-CCN-CERT

    Leer más...

  • jueves, 26 de octubre de 2017

    SIDERTIA SOLUTIONS en las XI Jornadas STIC CCN-CERT

    Leer más...

  • lunes, 26 de junio de 2017

    Sidertia, procesos de selección en curso

    Leer más...



ÚLTIMOS TWEETSTwitter





ARCHIVO



ETIQUETAS


NUESTRO PORTAFOLIO DE SERVICIOS

  • Consultoría Consultoría

    Servicios de consultoría especializada de la mano de profesionales altamente cualificados.

  • Formación Formación

    Reciba formación experta de calidad ajustada a sus necesidades.

  • Seguridad Seguridad TIC

    Sidertia Solutions le ayuda a implementar y mantener su modelo de seguridad.

  • Desarrollo Desarrollo

    Soluciones de desarrollo seguro para su empresa.


  • Microsoft Silver Partner
  • Citrix Silver Partner
  • Dell Partner Registered