Multiple Vulnerabilities in WatchGuard Firebox and XTM appliances Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2022-085
Multiple vulnerabilities have been discovered in WatchGuard Firebox and XTM appliances, the most severe of which could allow for Remote code execution. WatchGuard Firebox is a unified security platform that gives IT professionals the network visibility tools to ensure enterprise-grade security. Depending on the privileges associated with the applications, an attacker could view, change, or delete data.
There are no reports that these vulnerabilities are being exploited in the wild.
- Fireware OS before 12.8.1, 12.x before 12.1.4 and 12.2.x through 12.5.x before 12.5.10
Multiple vulnerabilities have been discovered in in WatchGuard Firebox and XTM appliances, the most severe of which could allow for Remote code execution.. Details of the vulnerabilities are as follows:
Tactic: Execution (TA0002):
Technique: Native API (T1106):
- A Stack-based overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image from the command line interface. (CVE-2022-25362)
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
- An integer overflow in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious request to exposed management ports. (CVE-2022-31789)
- WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication server settings by sending a malicious request to exposed authentication endpoints. (CVE-2022-31790)
Details of lower-severity vulnerabilities are as follows:
- WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations. (CVE-2022-31749)
- A local privilege escalation vulnerability in Firebox and XTM devices could allow an attacker to execute commands with root privileges.
- WatchGuard Firebox and XTM appliances allow an authenticated remote attacker to read arbitrary text files from the filesystem.
Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the applications. Depending on the privileges associated with the applications, an attacker could view, change, or delete data.
We recommend the following actions be taken:
- Apply the appropriate update from WatchGuard to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
o Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
o Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
o Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
o Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.