Multiple Vulnerabilities Found In WatchGuard Firewall

Researchers have discovered numerous security vulnerabilities in two different WatchGuard Firewall brands that risk users’ security. Exploiting the vulnerabilities could allow attackers to gain root access to the target systems. The vendors have since patched the flaws following the bug reports.

WatchGuard Firewall Vulnerabilities

According to a report from Ambionics, their researchers found five different security vulnerabilities in WatchGuard firewall brands, Firebox and XTM. These firewalls come in various computer architectures, appliance models, and firmware versions. Hence, the vulnerabilities in these two subsequently affected a range of systems.

As explained, they found the vulnerabilities during red team management, following the active exploitation of WatchGuard firewalls from Russian APTs. While those vulnerabilities triggering the attack received the corresponding patches, the researchers found five other flaws affecting the firewalls’ security.

Specifically, those five vulnerabilities include,

  • Blind alphanumeric .bss overflow (CVE-2022-26318).
  • Time-based XPath injection (CVE-2022-31790)
  • Integer overflow leading to heap overflow / UAF (CVE-2022-31789)
  • Post-authentication root shell
  • nobody to root privilege escalation

Regarding the technical details and exploits, the researchers explained how these vulnerabilities would allow an adversary to gain root privileges on the target systems. Specifically, they built eight PoC’s of these five vulnerabilities, demonstrating the threat to Firebox/XTM appliances.

According to researchers, both WatchGuard Firewalls in their study were under attack earlier this year. When analyzing the devices, they discovered thousands of Firewalls with exposed admin interfaces on ports 8080/4117. This means an attacker could easily scan for vulnerable machines to take over and could even form a botnet.

While WatchGuard addressed most of these issues, the last but the most critical flaw allowing root access was reported as a zero-day.

To prevent exploitation due to the easy discoverability of the vulnerable devices on Shodan, Ambionics security engineer Charles Fol suggested users remove the admin interface. In addition, Fol also urges users to keep their devices up-to-date for timely security patches.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients