WatchGuard has fixed multiple vulnerabilities in two major firewall brands, ranging in severity from medium to critical. Two of the flaws, when combined, permitted Ambionics security engineer Charles Fol to gain pre-authentication remote root on any WatchGuard Firebox or XTM appliance.
Both the Firebox and XTM product lines were implicated in a number of hacking attacks earlier this year, with Russian state-sponsored threat actor Sandworm exploiting a privilege escalation vulnerability to build the Cyclops Blink botnet, which was shut down in April.
WatchGuard released three firmware updates over a four-month period, patching a number of critical vulnerabilities.
Complete access as root
Fol told The Daily Swig, “By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root. This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”
Fol believes that as a result of the numerous security alerts generated during his research, including those relating to Cyclops Blink, fewer WatchGuard users now have their administration interface exposed on the internet.
"The first vulnerability, Xpath, is accessible through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances," he said.
He recommends that users remove their administration interface from the internet and keep their systems up to date. Fol stated that he reported the flaws at the end of March and received a prompt response. A month later, the security team at WatchGuard confirmed that a patch would be available on June 21.
