WatchGuard Firebox and XTM Could Allow for Remote Code Execution

Multiple vulnerabilities have been discovered in WatchGuard Firebox and XTM appliances, the most severe of which could allow for Remote code execution. WatchGuard Firebox is a unified security platform that gives IT professionals the network visibility tools to ensure enterprise-grade security. Depending on the privileges associated with the applications, an attacker could view, change, or delete data.

THREAT INTELLIGENCE: There are no reports that these vulnerabilities are being exploited in the wild.

SYSTEMS AFFECTED:

• Fireware OS before 12.8.1, 12.x before 12.1.4 and 12.2.x through 12.5.x before 12.5.10

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in in WatchGuard Firebox and XTM appliances, the most severe of which could allow for Remote code execution.. Details of the vulnerabilities are as follows:

Tactic: Execution  (TA0002):
Technique: Native API (T1106):

• A Stack-based overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image from the command line interface. (CVE-2022-25362)

Tactic: Execution  (TA0002):
Technique: Exploitation for Client Execution (T1203):

• An integer overflow in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious request to exposed management ports. (CVE-2022-31789)
• WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication server settings by sending a malicious request to exposed authentication endpoints. (CVE-2022-31790)

Details of lower-severity vulnerabilities are as follows:

• WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations. (CVE-2022-31749)
• A local privilege escalation vulnerability in Firebox and XTM devices could allow an attacker to execute commands with root privileges.
• A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox and XTM appliances. An unauthenticated remote attacker can potentially execute arbitrary JavaScript code in the Firebox management interface by sending carefully crafted requests to exposed management ports. (CVE-2022-31792)
• WatchGuard Firebox and XTM appliances allow an authenticated remote attacker to read arbitrary text files from the filesystem.

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the applications. Depending on the privileges associated with the applications, an attacker could view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply the appropriate update from WatchGuard to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

WatchGard:
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00016

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022–31749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022–31789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022–31792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022–25362