Fireware XTM 11.8.3 Update Corrects XSS Flaw

Overall Severity: Medium


  • This vulnerability affects: WatchGuard Fireware XTM 11.8.1 and earlier
  • How an attacker exploits it: Either by enticing an XTM administrator into clicking a specially crafted link or by directly interacting with the appliance’s web management UI (requires authentication)
  • Impact: An attacker can execute script in the context of the XTM management web UI, which could allow him to attempt to phish your credentials or gain access to your cookies or session information
  • What to do: Install Fireware XTM 11.8.3 (and limit access to the XTM web management interface)


Recently, we released WSM and Fireware XTM 11.8.3, which delivers many customer requested fixes and enhancements to XTM administrators. It also corrects a web application vulnerability reported to us by William Costa (a security researcher and consultant) via US-CERT’s coordinated disclosure process.

Fireware XTM includes a Web UI, which you can use to manage your XTM appliance through a web browser. One of the parameters in the firewall policy management pages (pol_name) suffers from a reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338), due to it’s lack on input validation. If an attacker can trick your XTM administrator into clicking a specially crafted link, he could exploit this vulnerability to execute script in that user’s browser under the context of the XTM Web UI. Among other things, this could mean the attacker might do anything in the Web UI that your user could do.

However, it takes significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick an XTM administrator into clicking a link before the attack can take place (unless the attacker has direct access to the Web UI, and valid credentials of his own). Furthermore, the link does not bypass the Web UI authentication. This means that unless the victim is already logged into the Web UI, she would also have to enter her XTM credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8.3 to fix this XSS flaw quickly.

We’d like to thank William Costa for discovering and responsibly disclosing this flaw, and thank the US-CERT team for coordinating the disclosure and response. You can find more information about this vulnerability in US-CERT’s vulnerability note

Solution Path:

WatchGuard Fireware XTM 11.8.3 corrects this security issue. We recommend you download and install 11.8.3 to fix this vulnerability. You can find more details about 11.8.3 in our release notes.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

  • Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t directly exploit this XSS flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access to the web interface, the less likely an attacker could directly exploit this flaw. Furthermore, this XSS attack does not bypass authentication. So even if an external attacker had access to your Web UI they’d need valid credentials to directly exploit this issue (making it a moot issue since they’d already have access to the web management interface).
  • Train administrators against clicking unsolicited links. In order to exploit this flaw, and attacker would have to trick one of your administrators into clicking a maliciously crafted link, and then entering his valid XTM management credentials. We recommend you train your XTM administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.


Are any of WatchGuard’s other products affected?

No. These flaws only affect Fireware 11.8.1 and below running on our XTM appliances.

What exactly is the vulnerability?

A reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338) that could allow an attacker to run malicious script, and possibly gaining unauthorized access to your Web UI, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Potentially. The XSS vulnerability allows attackers to execute script in the context of your XTM appliance’s web UI. Attackers could leverage this to do many things, including stealing your session cookie, or designing a pop-up window designed to phish your credentials. It is possible the attacker might gain enough information to hijack your web session, or login to the web UI.

How serious is the vulnerability?

The XSS flaws poses a medium to low risk. Though attackers can use reflective XSS flaws to gain access to sensitive information, they require significant user interaction; in this case, both clicking a link and entering your credentials. This mitigating factors lessen the severity of this flaw. However, we still recommend you apply this update to fix it.

How was this vulnerability discovered?

These flaws were discovered by an external security researcher, William Costa, who reported them responsibly through US-CERT‘s coordinated disclosure process. We thank them both for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

6 Responses to “Fireware XTM 11.8.3 Update Corrects XSS Flaw”

  1. Encore un très bon poste, j’en discuterai demain avec des collègues

  2. Bon ce post va aller sur un site web perso

  3. The structure is signed by unbiased perfumer-composer Olivia Giacobetti who is
    well-known for her knack for refined, ethereal finishes, like steam of grain and drinking water for example,
    although her creative variety of expression moves beyond that.

  4. Hi there! This article couldn’t be written much better!
    Looking at this post reminds me of my previous roommate!

    He constantly kept talking about this. I most certainly will send this article to him.
    Fairly certain he’s going to have a good read.
    Thank you for sharing!

  5. Bumble and Bumble locks products keep on to elevate the things of the
    magnificence sector byy way of potential, motivation, and one of a kind items.
    Tender throat lozenges, precisely within the natural variety, consist of —
    you’ve got received executing so – propolis. Thhe bioflavenoids present in propolis improve the
    body’s immune technique, improving our resistance to ailment propolis dietary supplements the effectiveness of
    vitamin C and stimulates enzyme formation.


  1. Multiple XSS Vulnerabilities in the firewall policy management pages in WatchGuard Fireware XTM before 11.8.3 | Web Security Watch - August 5, 2014

    […] Source: CONFIRM Name:… Type: Advisory Hyperlink: […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: