Archive | October, 2013

WatchGuard posts maintenance releases for e-Series and XTM 21/22/23 appliances.

WatchGuard has posted Fireware XTM OS 11.3.7 for e-Series and 11.6.7 for XTM 21/22/23 appliances. Along with providing significant bug fixes, these releases enable Commtouch as the anti spam solution provider. Both releases also include a fix for the buffer overflow vulnerability reported last week at WatchGuard Security Center. The Release Notes provide a complete list of all issues resolved in each software release.

Note: There is no corresponding update to WSM.

Does This Release Pertain to Me?

Customers with an XTM 21/21-W, 22/22-W, or 23/23-W appliance should upgrade to version 11.6.7. Customers with e-Series appliances should upgrade to 11.3.7.

Please read the 11.6.7 Release Notes and the 11.3.7 Release Notes before you upgrade, to understand what’s involved.

Note: These updates do not apply to customers with XTM 25 or higher appliances.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller»

Five Top Tips to Help Protect Your Critical Data

I often question the validity of the term Information Security. While it has “information” in the name, I feel we spend more time protecting our technologies and devices than we do figuring out what information is most critical to our businesses, and catering our protections to that data. As information security professionals, we need to focus more on directly defending data.

Information Security

That was the premise for my presentation at Gartner’s ITxpo Symposium on October 7, 2013, in Orlando, titled, “SPS17: WatchGuard Technologies, Inc.: Cover Your Assets; Protecting Your Company’s Most Important Possession.”

Right now data thieves are doing a good job stealing our sensitive information. Since 2005, more than 600 million records have been breached, and the stakes continue to rise as companies struggle to protect data in the face of increasingly complicated regulatory requirements.

At ITxpo I shared some revelations from WatchGuard’s recent data loss research. For instance, though 64 percent of respondents report having data sharing and usage policies, only 30 percent have Data Loss Prevention solutions in place. And, while the top data loss threats include malicious insiders and criminal hackers, the number one threat is accidental data loss.

To help illustrate this data security problem, I also demonstrated how unskilled attackers could easily leverage SQL injection flaws to siphon off critical information from our backend databases. Using freely available tools like SQLmap, almost anyone can steal email addresses, credentials, and even credit card numbers from badly programmed e-commerce sites.

Of course, the point of the presentation wasn’t to alarm, but to remedy. To that end, I proposed five simple steps CIOs and IT managers can take to protect their organization’s critical data assets. You can read more about those tips below, or, you can watch the session recording by clicking here.

Garter DLP Presentation

Click Image to watch video

Let’s jump into the five tips:

  • Do a Data Inventory – What sensitive data does your organization have? Where do you store this data? Why does the organization need this data? Who needs access to it? How do they use the data? You need to find out in order to protect it.
  • Create a Data Policy – Good information security always starts with a well-thought out policy. Even the best security technologies cannot replace good planning.
  • Leverage Access Control – You may already have many good tools to help, such as OS authentication, identity access management, firewalls, network ACL and other security controls. But, are you using them? The simple step of segmenting your trusted users from one another based on their roles can help.
  • Use Encryption – Encryption can be expensive, but for data at rest and in motion, it is vital for sensitive documents. However, you don’t have to encrypt everything. If you learn where your organization stores its most vital data, you can concentrate on just encrypting that.
  • Adopt DLP Technology – Vendors are offering cost-effective and easy-to-use solutions that can help organizations detect and block sensitive data at rest, in use and in motion. Consider Unified Threat Management (UTM) solutions that integrate DLP technology and allow it to be centrally managed through a single console. Gateway-based DLP technologies found on UTM devices can solve a big portion of the problem for a fraction of the cost and complexity of other solutions.

With the proper precautions in place, there’s little real excuse for accidental data loss today. There are strategies you can employ that help you identify your company’s most critical data, techniques you can use to limit access to it, and solutions available that will recognize violations and keep your data safe; thus meeting today’s compliance standards and regulation.

Furthermore, WatchGuard’s unified threat management (UTM) platform can help, providing you with both defense-in-depth and the latest gateway DLP technology that prevents most common data leaks.  — Corey Nachreiner, CISSP (@SecAdept)

Hackers Lose Rights – WSWiR Episode 82

PHP.Net Hijack, Rooted ReadyNAS, and Harassed “Hacker”

This week you get two Infosec videos for the price of one! Of course, free plus free is still… well, free.

Last week, I had a busy travel schedule in the Middle East and Holland, and I did not find the time to produce my weekly security news summary on Friday. And yet, there was still plenty of security news to cover, so I didn’t want to leave you hanging. Hopefully, you can still learning something interesting, even if it comes a few days late.

Last week’s much belated episode includes, news of Cheney’s cardiac defibrillator hacking scare, a watering hole attack, yet another rooted consumer router, and a story about how just calling yourself a hacker may cost you some Constitutional rights. Watch the video below, and check the Reference section for more details.

Thanks for watching and I’ll see you again in two days, when I post this week’s video!

(Episode Runtime: 7:07)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Hypervisors Need Patch Love Too; VMware updates

Unfortunately, I find some administrators treat their hypervisors like they do their routers. Since  hypervisors often support production servers, administrators don’t like messing with them by updating them regularly. You know the old adage… “If it ain’t broke, don’t fix it.” That said, I’d argue that if your critical production server suffers from security flaws, then it’s surely broken.

With that in mind, VMware administrators running ESXi, vCenter or vSphere need to update soon. Recently, VMware released a security advisory warning of a handful of vulnerabilities in these popular hypervisor products. The flaws span from Denial of Service (DoS) issues, to elevation of privilege vulnerabilities. While I wouldn’t classify any of the problems as overly critical, I still think it’s worth updating your hypervisor as soon as you can. You can find more information about these flaws, and where to find patches, in VMware’s advisory— Corey Nachreiner, CISSP (@SecAdept)

Freshening Rotten Apples (iOS and OS X Updates)

If you’re an Apple customer, I sure hope you’ve enabled automatic software updates, because there are a lot of patches to download this week.

On Tuesday, Apple released a ton of security updates, including ones for products like iOS, OS X, iTunes, and more. The updates fix a wide variety of security vulnerabilities, from more lock screen bypass issues in iOS, to remote code execution flaws in OS X. I you use any of the products below, I recommend you visit my provided links to download the corresponding security updates as soon as you can:

If you’d like to keep abreast of the latest Apple security updates, be sure to bookmark their Security page, and you can find links to all their patches on the Download page, though I recommend you let their automatic update take care of the updates for you.

As an aside, for any of you waiting for my weekly Infosec video, I was unable to produce it by Friday due to an intense travel schedule. I’ll release the video some time early next week.

— Corey Nachreiner, CISSP (@SecAdept)


D-Link Backdoor – WSWiR Episode 81

Hijacked vBulletins, Harvested Email, and Router Backdoors

Do you remember the days where we might learn about one, maybe two, big Infosec stories a month? Well those days are long gone. Nowadays, it seems like more network and information security stories break each week than one person could follow. So why not let me do it for you in my weekly Infosec news summary.

This week, the episode covers a number of important software security patches (including one for WatchGuard customers), an unpatched vulnerability that resulted in 31,000 hijacked web sites, the NSA’s email harvesting campaign, and a backdoor in a popular consumer-brand router. Watch the video below to learn the details, and how to protect your network… and if you’re looking for extra credit, check the Reference section for a bunch of additional security stories.

Have a great weekend, and stay safe online.

(Episode Runtime: 7:41)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard’s XTM 11.8 Software Fixes Buffer Overflow & XSS Vulnerabilities

Overall Severity: High


  • These vulnerabilities affect: WatchGuard WSM and Fireware XTM 11.7.4 and earlier
  • How an attacker exploits them: Either by enticing an XTM administrator into clicking a specially crafted link or by visiting the appliance’s web management UI with a malicious cookie
  • Impact: In the worst case, an attacker can execute code on the XTM appliance (see mitigating factors below)
  • What to do: Install WSM and Fireware XTM 11.8 (and limit access to the XTM web management interface)


Last week, we released WSM and Fireware XTM 11.8, which delivers a number of powerful new features to XTM administrators. However, it also fixes two externally reported security vulnerabilities. Though both vulnerabilities have mitigating factors that somewhat limit their severity, you should still patch them quickly.

If you haven’t already installed 11.8 for its great new features, we recommend you install it for these security fixes. We summarize the two vulnerabilities below:

WGagent is one of the processes running on an XTM appliance. Among other things, WGagent is responsible for parsing the web cookies sent to the appliance’s web management interface. It suffers from a buffer overflow vulnerability involving its inability to handle specially crafted cookies containing an overly-long “sessionid.” By creating a maliciously crafted cookie, and then connecting to your XTM appliance’s web management interface (tcp port 8080),  an unauthenticated attacker can exploit this vulnerability to execute code on the appliance. Though the WGagent process runs with low privileges (nobody) and from a chroot  jail, it does have enough privilege to access your appliance’s configuration file and change passwords. So we consider this a significant vulnerability.

That said, one mitigating factor somewhat limits its severity. An attacker can only exploit the flaw if he has access to your XTM appliance’s web management interface. By default, physical XTM appliances only allow web management access to the trusted network. As long as you haven’t specifically changed the WatchGuard Web UI policy to allow external access, Internet-based attackers cannot exploit this flaw against you.

However, this is not the case for XTMv users (the virtual version of our XTM platform). As a virtual appliance, XTMv has no concept of what is internal or external until you attach its virtual interfaces to physical ones, using your hypervisor software. To make its setup easier, XTMv allows access to the web management UI from all interfaces. In other words, this flaw poses a  higher risk to XTMv appliances, if you haven’t restricted the web management policy manually.

Security best practices suggest that you limit access to your security appliance’s management interfaces. If you configure the WatchGuard Web UI policy to limit access to the management interface to only those you trust, this flaw should pose minimal risk. In any case, we still consider it a significant vulnerability, and recommend you upgrade to Fireware XTM 11.8 to fix it.

We’d like to thank Jerome Nokin and Thierry Zoller from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering and responsibly disclosing this flaw, and thank the CERT team for coordinating the disclosure and response.

Update: If you’d like to read a very detailed report on how the researcher found this vulnerability, visit his blog.

Severity rating: High

  • Reflective XSS vulnerabilities in WatchGuard Server Software’s WebCenter (CVE-2013-5702)

WebCenter is the web-based logging and reporting UI that ships with the Server Software included with WSM. The WebCenter web application suffers from a few cross-site scripting (XSS) vulnerabilities involving some of its URL parameters. If an attacker can trick your XTM or WebCenter administrator into clicking a specially crafted link, he could exploit these vulnerabilities to execute script in that user’s browser, under the context of the WebCenter application. Among other things, this mean the attacker could do anything in the WebCenter application that your user could do.

However, it would take significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick a WebCenter administrator into clicking a link before the attack can take place. Furthermore, the link does not bypass Webcenter’s authentication. This means that unless the victim is already logged on to WebCenter, she would also have to enter her WebCenter credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8 to fix these XSS flaws quickly.

We’d like to thank Julien Ahrens of RCE Security for bringing this matter to our attention, and disclosing it responsibly.

Severity rating: Medium

Solution Path:

WatchGuard Fireware XTM and WSM 11.8 correct both of these security issues. We recommend you download and install 11.8 to fix these vulnerabilities. You can find more details about 11.8 in our software announcement post.

For older appliances,  such as the e-Series devices, or an XTM 21, 22, and 23 appliances, Fireware XTM 11.6.7 and 11.3.7 also corrects this buffer overflow vulnerability.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

  • Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t exploit this cookie buffer overflow flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access, the less likely an attacker could exploit this flaw.
  • Limit access to WebCenter, and train administrators against clicking unsolicited links. If you like, you can also use your XTM appliance and local host firewall policy to limit access to WebCenter (running on tcp port 4130 on your WatchGuard Server). This will minimize the amount of victims a maliciously crafted link would work against. Furthermore, we recommend you train your administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.


Are any of WatchGuard’s other products affected?

No. These flaws only affect our XTM appliances, and the WebCenter software that ships with WSM Server Software.

What exactly is the vulnerability?

One is a buffer overflow that allows attackers to execute code on your XTM appliance, and another is a cross-site scripting (XSS) vulnerability that could allow an attacker to gain unauthorized access to WebCenter, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Yes. The buffer overflow flaw could potentially give attackers access to your XTM security appliance. Though the WGagent process involved runs with low OS privileges, it does have enough privilege to access your appliance’s configuration file, and to change things like your passwords. However, attackers could only exploit this flaw if they had access to the web management UI, which most administrators block from the Internet. For most cases, this flaw primarily poses an internal risk.

How serious is the vulnerability?

Mitigating circumstances aside, we consider the buffer overflow flaw a high risk vulnerability, and recommend you update to 11.8 as soon as possible. The XSS flaws pose lesser risk.

How was this vulnerability discovered?

These flaws were discovered by Jerome Nokin and Thierry Zoller of Verizon Enterprise Solutions, and by Julien Ahrens of RCE Security, and were both confidentially reported to WatchGuard through a very responsible process. We thank them all for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild. However, shortly after our alert, the researcher who discovered the buffer overflow flaw shared his proof of concept (PoC) exploit code publicly. This code makes it easier for unskilled attackers to try and exploit this flaw. To make sure no one can exploit this issue against you, we highly recommend your upgrade to 11.8, or be sure not to expose your web management interface externally.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.

WatchGuard Dimension and Fireware XTM 11.8

WatchGuard is pleased to announce two major new software releases.

WatchGuard Dimension is a public and private cloud-ready network security visibility solution that provides reporting tools that instantly distill key issues and trends, speeding the ability to set meaningful security policies across the network. Available for download from the support center today, key features include:

  • Executive Dashboards provide a high-level view of network activity, and with just a click, users can drill all the way down to individual log data.
  • ThreatMap instantly shows by location where threats are coming from.
  • FireWatch filters traffic in a way that instantly brings your eye to the most critical information on active users and connections.
  • E-mail delivery of reports.
  • A single Executive Summary report that provides an overview of network traffic and security events.

Please read the Release Notes to get a deeper understanding of the new capabilities and options. An interactive demo is also available on the product page.

Fireware XTM 11.8 is also available now and provides powerful new features. Highlights include:

  • Data Loss Prevention prevents costly data breaches by scanning and detecting the transfer of sensitive information over email, web, and FTP.
  • All-new Web UI has enhanced ease of use, and includes popular WatchGuard tools such as Traffic Monitor and the new FireWatch. It supports mobile devices, including iOS.
  • Routed VPNs in 11.8 add tremendous flexibility to the configuration of VPNs in today’s more complex network environments. Many new use cases are supported through the ability to add VPN on a virtual interface.
  • Wireless Access Point enhancements, including manual channel selection.
  • YouTube for Schools.

A more complete list is available online, and a detailed “What’s New in 11.8” presentation is also available.

Note: 11.8 also includes important security updates to fix a buffer overflow flaw, and cross-site scripting (XSS) vulnerabilities in our products. For more details on these issues, see our WatchGuard Security Center post.

Does This Release Pertain to Me?

If you or your customers have an XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 800 Series, 1500 Series, 2500 Series, 1050 or 2050 device and wish to use the new enhancements, you should upgrade to version 11.8. Please read the Release Notes before you upgrade, to understand what’s involved.

Note: Fireware XTM 11.8 does not apply to XTM 21/22/23 appliance owners, or Firebox X e-Series owners.

WatchGuard Dimension is compatible with all XTM appliances.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain the XTM OS update or Dimension without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

Oracle Fixes 133 Vulnerabilities with Massive CPU & Java Updates

Yesterday, Oracle released their quarterly Critical Patch Update (CPU) for October 2013. If you haven’t heard of them, CPUs are Oracle’s quarterly collections of security updates, which fix vulnerabilities in a wide-range of their products. Oracle publishes their quarterly updates on the Tuesday closest to the 17th of the month (in this case, October 15th). Previously, Oracle decoupled their Java updates from their quarterly CPU cycle. However, that changes as of this release. From now on, Oracle plans to release Java updates quarterly, so this quarter’s Oracle CPU includes a Java security update as well.

Overall, the CPU and Java updates fix around 133 security vulnerabilities in many different Oracle products and suites. The table below outlines the affected products, and the severity of the fixed flaws. The flaws with the highest CVSS rating are the most risky, meaning you should handle them first:

Product or Suite Flaws Fixed (CVE) Max CVSS
Java SE 51 10
Database Server 4 6.4
MySQL 12 8.5
Fusion Middleware 17 7.5
Enterprise Manager Grid Control 4 4.3
Siebel CRM 9 6.8
E-Business Suite 1 5.0
Supply Chain Product Suite 2 5.0
Industry Applications 6 5.5
PeopleSoft Products 8 5.0
iLearning 2 6.8
Financial Services Software 1 6.0
Primavera Products Suite 2 5.0
Sun Systems Products Suite 12 6.1
Virtualization 2 5.0

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 133 vulnerabilities differs greatly, some of them pose a pretty critical risk; especially the Java SE ones.

Almost everyone has Java installed. If you do, I recommend you install the Java update immediately, or perhaps consider uninstalling Java or restricting it in some way using its security controls. With a CVSS rating of 10, the Java exploits allow remote attackers to install malware on your computer via web-based drive-by download attacks; and right now attackers really like targeting Java flaws.

Of course,  if you use any of the other affected Oracle software, you should update it as well. I recommend scheduling the updates based on the max CVSS rating for the products. For instance, if you use MySQL, update it quickly, but you can allow yourself to more time to fix the Grid Control issues. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Gartner IT Expo – WSWiR Episode 80

Two IE Zero Days, iOS vs. Android, and DNS Hijacking

Today’s weekly InfoSec video comes to you on the road, from Gartner’s IT Expo Symposium.

WatchGuard had a busy week here in Orlando. I spoke on Data Security; we announced and released a new visibility tool called Dimension; and we released XTM Fireware 11.8, which includes a new data loss prevention (DLP) service.

Nonetheless, the show must go on. This week’s quick episode includes info on the latest Microsoft Patch Day, one humorous highlight from the show, a story about a bunch of hijacked security sites, and even a bit of good news. Click play below for the details, and have a great weekend!

(Episode Runtime: 7:51)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: