October 17, 2013 
Overall Severity: High
Summary:
- These vulnerabilities affect: WatchGuard WSM and Fireware XTM 11.7.4 and earlier
- How an attacker exploits them: Either by enticing an XTM administrator into clicking a specially crafted link or by visiting the appliance’s web management UI with a malicious cookie
- Impact: In the worst case, an attacker can execute code on the XTM appliance (see mitigating factors below)
- What to do: Install WSM and Fireware XTM 11.8 (and limit access to the XTM web management interface)
Exposure:
Last week, we released WSM and Fireware XTM 11.8, which delivers a number of powerful new features to XTM administrators. However, it also fixes two externally reported security vulnerabilities. Though both vulnerabilities have mitigating factors that somewhat limit their severity, you should still patch them quickly.
If you haven’t already installed 11.8 for its great new features, we recommend you install it for these security fixes. We summarize the two vulnerabilities below:
- WGagent Buffer Overflow vulnerability via Web Management UI (CERT VU#233990 / CVE-2013-6021)
WGagent is one of the processes running on an XTM appliance. Among other things, WGagent is responsible for parsing the web cookies sent to the appliance’s web management interface. It suffers from a buffer overflow vulnerability involving its inability to handle specially crafted cookies containing an overly-long “sessionid.” By creating a maliciously crafted cookie, and then connecting to your XTM appliance’s web management interface (tcp port 8080), an unauthenticated attacker can exploit this vulnerability to execute code on the appliance. Though the WGagent process runs with low privileges (nobody) and from a chroot jail, it does have enough privilege to access your appliance’s configuration file and change passwords. So we consider this a significant vulnerability.
That said, one mitigating factor somewhat limits its severity. An attacker can only exploit the flaw if he has access to your XTM appliance’s web management interface. By default, physical XTM appliances only allow web management access to the trusted network. As long as you haven’t specifically changed the WatchGuard Web UI policy to allow external access, Internet-based attackers cannot exploit this flaw against you.
However, this is not the case for XTMv users (the virtual version of our XTM platform). As a virtual appliance, XTMv has no concept of what is internal or external until you attach its virtual interfaces to physical ones, using your hypervisor software. To make its setup easier, XTMv allows access to the web management UI from all interfaces. In other words, this flaw poses a higher risk to XTMv appliances, if you haven’t restricted the web management policy manually.
Security best practices suggest that you limit access to your security appliance’s management interfaces. If you configure the WatchGuard Web UI policy to limit access to the management interface to only those you trust, this flaw should pose minimal risk. In any case, we still consider it a significant vulnerability, and recommend you upgrade to Fireware XTM 11.8 to fix it.
We’d like to thank Jerome Nokin and Thierry Zoller from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering and responsibly disclosing this flaw, and thank the CERT team for coordinating the disclosure and response.
Update: If you’d like to read a very detailed report on how the researcher found this vulnerability, visit his blog.
Severity rating: High
- Reflective XSS vulnerabilities in WatchGuard Server Software’s WebCenter (CVE-2013-5702)
WebCenter is the web-based logging and reporting UI that ships with the Server Software included with WSM. The WebCenter web application suffers from a few cross-site scripting (XSS) vulnerabilities involving some of its URL parameters. If an attacker can trick your XTM or WebCenter administrator into clicking a specially crafted link, he could exploit these vulnerabilities to execute script in that user’s browser, under the context of the WebCenter application. Among other things, this mean the attacker could do anything in the WebCenter application that your user could do.
However, it would take significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick a WebCenter administrator into clicking a link before the attack can take place. Furthermore, the link does not bypass Webcenter’s authentication. This means that unless the victim is already logged on to WebCenter, she would also have to enter her WebCenter credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8 to fix these XSS flaws quickly.
We’d like to thank Julien Ahrens of RCE Security for bringing this matter to our attention, and disclosing it responsibly.
Severity rating: Medium
Solution Path:
WatchGuard Fireware XTM and WSM 11.8 correct both of these security issues. We recommend you download and install 11.8 to fix these vulnerabilities. You can find more details about 11.8 in our software announcement post.
For older appliances, such as the e-Series devices, or an XTM 21, 22, and 23 appliances, Fireware XTM 11.6.7 and 11.3.7 also corrects this buffer overflow vulnerability.
If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.
- Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy. By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t exploit this cookie buffer overflow flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets, use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access, the less likely an attacker could exploit this flaw.
- Limit access to WebCenter, and train administrators against clicking unsolicited links. If you like, you can also use your XTM appliance and local host firewall policy to limit access to WebCenter (running on tcp port 4130 on your WatchGuard Server). This will minimize the amount of victims a maliciously crafted link would work against. Furthermore, we recommend you train your administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.
FAQ:
Are any of WatchGuard’s other products affected?
No. These flaws only affect our XTM appliances, and the WebCenter software that ships with WSM Server Software.
What exactly is the vulnerability?
One is a buffer overflow that allows attackers to execute code on your XTM appliance, and another is a cross-site scripting (XSS) vulnerability that could allow an attacker to gain unauthorized access to WebCenter, assuming he can trick an administrator into clicking a malicious link.
Do these give attackers access to my XTM security appliance?
Yes. The buffer overflow flaw could potentially give attackers access to your XTM security appliance. Though the WGagent process involved runs with low OS privileges, it does have enough privilege to access your appliance’s configuration file, and to change things like your passwords. However, attackers could only exploit this flaw if they had access to the web management UI, which most administrators block from the Internet. For most cases, this flaw primarily poses an internal risk.
How serious is the vulnerability?
Mitigating circumstances aside, we consider the buffer overflow flaw a high risk vulnerability, and recommend you update to 11.8 as soon as possible. The XSS flaws pose lesser risk.
How was this vulnerability discovered?
These flaws were discovered by Jerome Nokin and Thierry Zoller of Verizon Enterprise Solutions, and by Julien Ahrens of RCE Security, and were both confidentially reported to WatchGuard through a very responsible process. We thank them all for working with us to keep our customers secure.
Do you have any indication that this vulnerability is being exploited in the wild?
No, at this time we have no indication that these vulnerabilities are being exploited in the wild. However, shortly after our alert, the researcher who discovered the buffer overflow flaw shared his proof of concept (PoC) exploit code publicly. This code makes it easier for unskilled attackers to try and exploit this flaw. To make sure no one can exploit this issue against you, we highly recommend your upgrade to 11.8, or be sure not to expose your web management interface externally.
Who can I contact at WatchGuard if I have more questions?
If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:
Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com
WatchGuard Security Center 
I’d love to upgrade, if Watchguard hadn’t abandoned the XTM23 we bought 2 years ago.
Mark,
We didn’t abandon the XTM 23. There will be a new release of 11.6.x software soon that will have new bug fixes, including these ones. It just won’t have all the new features of 11.8, such as DLP. Not because we don’t want 21-23 users to get the new features; simply because the older 2 Series hardware is not powerful enough for yet another service.
Cheers,
Corey
Is there a workaround for the security flaw that doesn’t involve upgrading to 11.8? Our XTM25’s on 11.8 have MAJOR vpn client connection issues, which Watchguard support has told us will not be fixed for 2 months! So either we downgrade and risk vulnerabilities, or we upgrade and no one at remote offices can get work done. Solution?
The simple workaround is just to restrict who has access to the web-based management interface. First, by default access to this interface isn’t allowed from the internet. So by default, you are not at risk from Internet-based attacks, only internal users trying to exploit this flaw.
That said, you can use our policy making to restrict access even more. If you aren’t using our user authentication capabilities (both local or connected to AD or LDAP servers), you can set that up and then restrict access to the web management by users. That way users would have to authenticate before even reaching the web-management. Another option is to use mobile VPN, and restrict the management interface to just VPN users.
In short, the more restrictive your web management policy is, the harder it is for attackers to leverage this issue. They would literally have to first hack an approved users computer, before they could exploit this flaw.
Cheers,
Corey
Thanks for the quick response, Corey. Do you know if the 2 month timeline is accurate? I’d rather not have to downgrade the boxes we just upgraded to 11.8 in order to get VPN working for SSL VPN users. Right now they’re dropping every 30-60 seconds, making work impossible.
In my current role, other then for security issues, I’m not really clued in for timeline on software fixes. So I’m not sure whether or not the 2 month estimate for the VPN fix is correct, but support usually has the latest and most accurate stuff.
Also, not sure if they are referring to the next actual 11.8.x “dot” release, or something else. For some issues, we may release unofficial CSPs (customer specific patches) to fix certain issues early, before the real public release. So perhap your issue may get corrected in a CSP. It must be a pretty specific issue? I only have two basic VPNs on my lab boxes, but they seem to work ok in 11.8.
Cheers,
Corey
Interesting – that’s good to know. We may try looking at our SSL VPN settings to see if we can get it to work. Thanks again!
Do you mind if I quote a couple of your articles as long as I provide creeit and sources back to your blog?
My website is in the exact same niche as yours and my visitors would certainly benefit from some off the information you provide here.
Please let me know if this ok with you. Thanks a lot!
Nice post. I was checking continuously this weblog
and I’m inspired! Extremely helpful information specifically the
final section 🙂 I handle such info a lot. I was seeking this particular info for a very lengthy time.
Thanks and best of luck.