Network Security: Mining the Alphabet Soup for What Matters

The security industry likes to create acronyms – IAM, UTM, NGFW, MFA, EDR, etc. Perhaps it comes from the general human tendency of wanting to simply define complex topics. In an ever-changing industry, like information security, these acronyms and groupings create major challenges over time. Each year there are new threats, and with that comes more innovation and different approaches to security – all of which we try to initially force into predefined groupings – often diluting the value of the evolving technologies and confusing end-users. One such example is the ongoing attempt to force network security platforms into two distinct groups: Next-Generation Firewall (NGFW) and Unified Threat Management (UTM) appliances. The confusion between the two has become so apparent that analysts at last year’s Gartner’s Security and Risk Management Summit held a roundtable discussion on the very topic. The fact is that most end customers just want good security that solves their network security threats – they care less about NGFW and UTM. Today, I hope to both clear up some of that confusion, and share some data that quantitatively illustrates why UTM protections measurably increase your security efficacy.

UTM vs. NGFW; What’s the Difference?

At one point in time, when analysts first defined these two product segments, they had clear feature delineations in mind. At the highest level, NGFW appliances were firewalls with Intrusion prevention systems (IPS) and application control, whereas UTM appliances were firewalls with IPS, antivirus (AV), URL filtering, and anti-spam capabilities. However, over time both markets have organically evolved and changed. Now both solutions share a similar core set of capabilities. For instance, some NGFW solutions have added new security controls (like malware detection), which used to fall into the UTM camp. Meanwhile, UTMs have adopted all of the security features that helped define the NGFW market—such as application control—and have even added additional new security services to the mix.

This melding of feature sets between NGFW and UTM has made it a bit more difficult to differentiate products, but I think one high level description holds true. UTM solutions focus on unifying as many security controls as possible in one place, making them easier and more cost effective to manage, whereas NGFW solutions focus on only consolidating a limited subset of controls; specifically, ones that make the most sense in certain use cases, such as in a big data center environment. In plain English, UTM solutions tend to include more types of security controls than NGFWs.

How Layered UTM Security Improves Overall Defense

In essence, UTM’s core value proposition is that it combines many security controls in one place, increasing your overall security efficacy, and making layered security attainable for some organizations that couldn’t implement it otherwise. To really appreciate this, you need to understand why layered security improves your overall defense efficacy.

Ultimately, there are two reasons UTM layered security offers the best defense:

1. No single security control is infallible – History has proven that information security is a constant arms race. The good guys invent a new security control that blocks an attack at first, but the bad guys react and find new ways to evade those defenses. Antivirus (AV) is a great example of this. The industry started with signature-based solutions that originally did a good job, but eventually the bad guys evolved, and reacted with new evasion techniques that bypassed reactive signature-based solutions. Today, we have more advanced, behavioral-based AV solutions, but already attackers are exploring ways to trick these new solutions. The point is, no matter how great a security control might seem, attackers will find ways around it, which is why it’s important to have the additional layers of security a UTM appliance provides to pick up the slack.
2. There are different stages to a modern, blended attacks – You can break down modern network attacks into multiple stages. For example, the initial attack delivery, the exploit portion of the attack, the payload or malware delivery, the call home to the attacker, and so on. Security experts often refer to these stages as the Kill Chain. The importance of these stages is twofold; First, each stage is an additional opportunity for you to catch the attack. If you miss the first stage, you might still stop the second. Also, each of these stages requires a different type of defense. For instance, IPS isn’t intended to catch malware, but rather block software exploits. WatchGuard’s UTM appliances break the Kill Chain by incorporating all the different types of defenses necessary for each stage of an attack, and by layering them together so that a miss at one stage doesn’t rule out a block at another stage. Simply put, the more stages of an attack you protect against, the more effective your overall defense is, even when new threats bypass one defense.

At WatchGuard we care less about what you call what we do – UTM, multi-layered security, NGFW – we care more for the fact that we have created a mechanism to catch all the various stages of a modern network attack, and by layering these protections together, we give you multiple opportunities to block the threat even when one defense fails.

 

Don’t Just Take My Word for It!

On a theoretical level, it’s pretty easy to understand the value that WatchGuard’s layered UTM solutions provide, but analytical, scientific-minded people require quantifiable proof before they believe in any theory. Fortunately, NSS Labs, one of the world’s leading independent security product testing laboratories, has recently released a new threat warning service and testing methodology that proves the value of layered UTM security.

NSS Labs’ Cyber Advanced Warning System (CAWS)  enables vendors and end-users alike to view how effectively a variety of network security solutions are blocking real-time security threats. The system enables subscribers to view the efficacy of different solutions operating under different profiles: the base profile only enables specific so-called NGFW features as defined earlier in this blog, as well as the advanced profile, where a vendor can enable value-added UTM services such as I described in the example above, and which we provide at WatchGuard.

WatchGuard has actively participated in the CAWS service for the past few months, and it not only has helped us increase our security efficacy, but has also provided a very quantifiably measure of why UTM defenses works. Here’s a chart showing WatchGuard’s “block rate” results for about a month of new CAWS attacks:

Figure 1: Image courtesy of NSS Labs CAWS system

In the chart above, the lower, orange line represents a traditional NGFW, that primarily only uses IPS to catch threats. However, the upper, muddy-yellow line represents our product using the full UTM feature set, which includes antimalware services like GAV and APT Blocker, as well as all our URL filtering services.

What’s important to note is the drop in our IPS only block rate during January 31^st. While there could be a few reasons for this, it’s typically indicative of a new attack that our IPS didn’t catch. So why would I highlight this IPS miss? Well, looks at the yellow, UTM line… its block rate stays relatively high, despite the fact that IPS might have temporarily missed something new. Whether or not our daily IPS efficacy goes up or down, our full UTM defenses still catch well over 90% of the new threats each day, this further reinforces the importance of a layered approach to security as dips in IPS efficacy is not unique to WatchGuard.

Some have claimed, defense-in-depth, or layered security is dead. They make this declaration out of frustration, because lately we’ve seen so many organizations get compromised despite some defenses. However, I believe layered security is still the most effective way to prevent the majority of attacks. Breaches will still happen because no defense is infallible, but WatchGuard’s NSS Labs’ CAWS testing proves that having the layered security of a UTM appliance increases your overall security efficacy, and can even successfully block an attack when one layer of security misses. — Corey Nachreiner, CISSP (@SecAdept)

New Releases: Fireware and WSM version 11.9.5

WatchGuard is pleased to announce the release of Fireware 11.9.5 and WSM 11.9.5. These maintenance releases provide many bug fixes, with full details outlined in the Release Notes and the  What’s New in 11.9.5 presentation.

Dimension 1.3 Update 2

Application Control information was not correctly logged from proxy policies in version 11.9.4. Along with the new Fireware release, we have also released Dimension 1.3 Update 2, which is also required to correct this issue.

Does This Release Pertain to Me?

The Fireware release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

Software Download Center

Firebox and XTM appliance owners with active LiveSecurity can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. Please read the Release Notes before you upgrade to understand what’s involved. Known Issues are now listed in the Knowledge Base when logged in at the WatchGuard website. Note that there is also a Beta version of 11.10 available to try out at the software download center.

Contact Information

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

Don’t have an active LiveSecurity subscription for your appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a Partner.

— Brendan Patterson 

New Releases: Fireware XTM 11.9.4 and WSM 11.9.4

Fireware OS 11.9.4 and WSM 11.9.4 are now available. This maintenance release includes many bug fixes and several new enhancements. The Release Notes list all resolved issues and new enhancements in the software.

Key Highlights:

• New Guest Services capability enables the creation of temporary accounts for hotspot access. Ideal for hotels and retail stores to provide internet access for their visitors and customers. A new guest administrator role and user interface enable front line staff to manage and create the accounts.
• Selective inspection or bypass of encrypted web traffic (HTTPS DPI) via domain name or web category. Administrators now have more flexibility, allowing them to bypass DPI inspection of known good sites that need to remain private, such as online banking or financial applications.
• Diagnostic report output of Branch Office VPN configurations helps with quick troubleshooting and repair of any tunnel issues.
• SSLv3 is disabled by default to protect against man in the middle attacks that could exploit the Poodle vulnerability (CVE-2014-3566).
• Many bug fixes to improve the scalability and reliability of Single Sign-On.
• Support for /31 and /32 subnets on external interfaces, which are commonly used in regions with shortages of IPv4 IP addresses.
• WSM support for the new Firebox M400 and M500 models.

Full details of all changes including screenshots of new user interface are provided in the What’s New in 11.9.4 presentation [PPT].

Does this Release Pertain to Me?

This release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

New Software Download Center!

Firebox and XTM appliance owners can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. No login is required to download the software, but you must have active LiveSecurity on the appliance to apply the upgrade. Please read the Release Notes before you upgrade, to understand what’s involved. Known issues are now listed in the Knowledge Base when accessed through the WatchGuard Portal. You must log in to see Known Issues.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number or Partner ID available.)

• U.S. End Users: 877.232.3531
• Authorized WatchGuard Resellers: 206.521.8375
• International End Users: +1.206.613.0456

WatchGuard Releases Appliance Updates to Fix OpenSSL Flaws

WatchGuard has released several important updates to software for all product lines over the past couple of weeks to address reported vulnerabilities. Last month the OpenSSL team released an update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. More details about these vulnerabilities and their impact are available at the WatchGuard Security Center. If you are not already signed up, we recommend that you subscribe to the blog to get regular updates about security vulnerabilities, WatchGuard products, and general security news.

Here are the releases that have been posted to patch the vulnerable version of OpenSSL.  As always, maintenance releases also include many significant bug fixes. Full details are listed in the Release Notes for each release.

• 11.3.8 for e-Series devices
• 11.6.8 for XTM 21,22,and 23 devices
• 11.7.5 for XTM devices
• 11.8.4 for XTM and Firebox T10 devices, which is also localized into all of the WatchGuard supported languages.
• 11.9.1 for XTM and Firebox T10 devices
• Hotfixes for version 9.2 and 10.0 for XCS appliances
• SSL 3.2 Update 2 for SSL 100 and 560 appliances.

Other highlights in the new Fireware 11.9.1 release include:

• Support for default gateway on different subnet
• Several improved warning and informational messages throughout the product

More information including screenshots are available in the What’s New presentation.

Do These Releases Pertain to Me?

The OpenSSL patch is available for all e-Series, XTM appliances, and Firebox T10. Please choose the version that is relevant for your environment and devices. Upgrade to 11.9.1 to get the latest enhancements to the product.

How Do I Get the Release?

e-Series, XTM, and Firebox appliances owners who have a current LiveSecurity Service subscription can obtain updates without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Select the appropriate downloads for your devices. Please read the Release Notes before you upgrade, to understand what’s involved.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

New Releases: Fireware XTM 11.9 and Dimension 1.2

WatchGuard has posted major new software releases this month. We are pleased to announce that Fireware 11.9, WSM 11.9, and Dimension 1.2 are now available to download. WatchGuard’s newest releases give WatchGuard NGFW and UTM appliances – including XTM Series and Firebox T10 models – a host of new features. Highlights include:

APT Blocker – WatchGuard’s newest security module. Networks are vulnerable to advanced malware that relies on highly sophisticated detection evasion to hide their attacks. APT Blocker uses a cloud-based sandbox with full system emulation (CPU and memory) to detect and block advanced malware and zero day attacks that signature-only solutions miss.

WatchGuard Dimension™ is the award-winning security intelligence and visibility solution that is included at no charge with all WatchGuard network security solutions. Dimension 1.2 includes new reports for APT Blocker, performance enhancements, and translation into local languages.

Traffic Management: Fireware 11.9 enables administrators to preserve expensive Internet bandwidth connections for those business-critical applications that truly need it, with the ability to control and limit bandwidth use for applications, application categories, IP addresses, and VLANs.

Gateway Wireless Controller:  A new interactive, graphical wireless coverage map helps administrators to quickly achieve the optimal arrangement and configuration of wireless access points in their buildings.

Plus many, many more enhancements including IPv6 dynamic routing, custom DLP rules, Q-Radar SIEM integration, and custom network zones. Full details including screenshots are provided in the presentations: What’s New in 11.9 and What’s New in Dimension 1.2.

Does This Release Pertain to Me?

This release applies to the Firebox^® T10 and all XTM appliances, except XTM 21/21-W, 22/22-W, and 23/23-W appliances. Please read the Fireware 11.9 Release Notes and Dimension 1.2 Release Notes before you upgrade, to understand what’s involved and to see the complete list of all resolved issues and new enhancements in the software.

How Do I Get the Release?

XTM and Firebox T10 appliance owners who have a current LiveSecurity^® Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller

Fireware XTM 11.8.3 Update Corrects XSS Flaw

Overall Severity: Medium

Summary:

• This vulnerability affects: WatchGuard Fireware XTM 11.8.1 and earlier
• How an attacker exploits it: Either by enticing an XTM administrator into clicking a specially crafted link or by directly interacting with the appliance’s web management UI (requires authentication)
• Impact: An attacker can execute script in the context of the XTM management web UI, which could allow him to attempt to phish your credentials or gain access to your cookies or session information
• What to do: Install Fireware XTM 11.8.3 (and limit access to the XTM web management interface)

Exposure:

Recently, we released WSM and Fireware XTM 11.8.3, which delivers many customer requested fixes and enhancements to XTM administrators. It also corrects a web application vulnerability reported to us by William Costa (a security researcher and consultant) via US-CERT’s coordinated disclosure process.

Fireware XTM includes a Web UI, which you can use to manage your XTM appliance through a web browser. One of the parameters in the firewall policy management pages (pol_name) suffers from a reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338), due to it’s lack on input validation. If an attacker can trick your XTM administrator into clicking a specially crafted link, he could exploit this vulnerability to execute script in that user’s browser under the context of the XTM Web UI. Among other things, this could mean the attacker might do anything in the Web UI that your user could do.

However, it takes significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick an XTM administrator into clicking a link before the attack can take place (unless the attacker has direct access to the Web UI, and valid credentials of his own). Furthermore, the link does not bypass the Web UI authentication. This means that unless the victim is already logged into the Web UI, she would also have to enter her XTM credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8.3 to fix this XSS flaw quickly.

We’d like to thank William Costa for discovering and responsibly disclosing this flaw, and thank the US-CERT team for coordinating the disclosure and response. You can find more information about this vulnerability in US-CERT’s vulnerability note. 

Solution Path:

WatchGuard Fireware XTM 11.8.3 corrects this security issue. We recommend you download and install 11.8.3 to fix this vulnerability. You can find more details about 11.8.3 in our release notes.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

• Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t directly exploit this XSS flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access to the web interface, the less likely an attacker could directly exploit this flaw. Furthermore, this XSS attack does not bypass authentication. So even if an external attacker had access to your Web UI they’d need valid credentials to directly exploit this issue (making it a moot issue since they’d already have access to the web management interface).
• Train administrators against clicking unsolicited links. In order to exploit this flaw, and attacker would have to trick one of your administrators into clicking a maliciously crafted link, and then entering his valid XTM management credentials. We recommend you train your XTM administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.

FAQ:

Are any of WatchGuard’s other products affected?

No. These flaws only affect Fireware 11.8.1 and below running on our XTM appliances.

What exactly is the vulnerability?

A reflective cross-site scripting (XSS) vulnerability (CVE-2014-0338) that could allow an attacker to run malicious script, and possibly gaining unauthorized access to your Web UI, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Potentially. The XSS vulnerability allows attackers to execute script in the context of your XTM appliance’s web UI. Attackers could leverage this to do many things, including stealing your session cookie, or designing a pop-up window designed to phish your credentials. It is possible the attacker might gain enough information to hijack your web session, or login to the web UI.

How serious is the vulnerability?

The XSS flaws poses a medium to low risk. Though attackers can use reflective XSS flaws to gain access to sensitive information, they require significant user interaction; in this case, both clicking a link and entering your credentials. This mitigating factors lessen the severity of this flaw. However, we still recommend you apply this update to fix it.

How was this vulnerability discovered?

These flaws were discovered by an external security researcher, William Costa, who reported them responsibly through US-CERT‘s coordinated disclosure process. We thank them both for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

New Release: Fireware XTM 11.8.3 and WSM 11.8.3

WatchGuard is pleased to announce that Fireware XTM OS 11.8.3 and WSM 11.8.3 are now available. The Release Notes list all resolved issues and new enhancements in the software.

Highlights include:

• An updated Gateway Wireless Controller dashboard in the WebUI now gives you connection information for your AP devices and the clients connected to your AP devices, including manufacturer details.
• Support for the new Firebox T10
• A fix for a cross-site scripting vulnerability (CERT VU#807134) in the Web UI
• Support for  Netgear 341U 3G/4G modem.

Full details including screenshots are provided in the What’s New in 11.8.3 presentation.

Does This Release Pertain to Me?

This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances. If you or your customers need one of the bugfixes or new enhancements we recommend upgrading to the 11.8.3 release. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, “Support Alerts”, and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

WatchGuard Fireware XTM 11.8.1 and WSM 11.8.1

WatchGuard is pleased to announce Fireware XTM OS 11.8.1 and WSM 11.8.1. This update includes many bugfixes and some new enhancements. 

Highlights of new enhancements include:

• Customizable authentication page
• FireCluster for XTMv appliances
• Secondary network support on an existing trusted or optional VLAN
• Ability to static NAT from optional to trusted networks
• Some enhancements to better support ISP setup. For example the ability to send and enforce static IP addresses during PPPoE negotiation
• WatchGuard Management Servers high availability with a Windows Server cluster.
• Support for Sierra Wireless 320U 3G/4G USB modems
• The ability to update WatchGuard AP firmware from the Gateway Wireless Controller UI out of cycle of XTM firmware updates.

You can find more details about 11.8.1 in our Release Notes, as well as additional information, including screenshots, in our What’s New in 11.8.1 presentation [PPT].

Does This Release Pertain to Me?

This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances. If you or your customers need one of the bugfixes or new enhancements we recommend upgrading to the 11.8.1 release.

Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

WatchGuard posts maintenance releases for e-Series and XTM 21/22/23 appliances.

WatchGuard has posted Fireware XTM OS 11.3.7 for e-Series and 11.6.7 for XTM 21/22/23 appliances. Along with providing significant bug fixes, these releases enable Commtouch as the anti spam solution provider. Both releases also include a fix for the buffer overflow vulnerability reported last week at WatchGuard Security Center. The Release Notes provide a complete list of all issues resolved in each software release.

Note: There is no corresponding update to WSM.

Does This Release Pertain to Me?

Customers with an XTM 21/21-W, 22/22-W, or 23/23-W appliance should upgrade to version 11.6.7. Customers with e-Series appliances should upgrade to 11.3.7.

Please read the 11.6.7 Release Notes and the 11.3.7 Release Notes before you upgrade, to understand what’s involved.

Note: These updates do not apply to customers with XTM 25 or higher appliances.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller»

WatchGuard’s XTM 11.8 Software Fixes Buffer Overflow & XSS Vulnerabilities

Overall Severity: High

Summary:

• These vulnerabilities affect: WatchGuard WSM and Fireware XTM 11.7.4 and earlier
• How an attacker exploits them: Either by enticing an XTM administrator into clicking a specially crafted link or by visiting the appliance’s web management UI with a malicious cookie
• Impact: In the worst case, an attacker can execute code on the XTM appliance (see mitigating factors below)
• What to do: Install WSM and Fireware XTM 11.8 (and limit access to the XTM web management interface)

Exposure:

Last week, we released WSM and Fireware XTM 11.8, which delivers a number of powerful new features to XTM administrators. However, it also fixes two externally reported security vulnerabilities. Though both vulnerabilities have mitigating factors that somewhat limit their severity, you should still patch them quickly.

If you haven’t already installed 11.8 for its great new features, we recommend you install it for these security fixes. We summarize the two vulnerabilities below:

• WGagent Buffer Overflow vulnerability via Web Management UI (CERT VU#233990 / CVE-2013-6021)

WGagent is one of the processes running on an XTM appliance. Among other things, WGagent is responsible for parsing the web cookies sent to the appliance’s web management interface. It suffers from a buffer overflow vulnerability involving its inability to handle specially crafted cookies containing an overly-long “sessionid.” By creating a maliciously crafted cookie, and then connecting to your XTM appliance’s web management interface (tcp port 8080),  an unauthenticated attacker can exploit this vulnerability to execute code on the appliance. Though the WGagent process runs with low privileges (nobody) and from a chroot  jail, it does have enough privilege to access your appliance’s configuration file and change passwords. So we consider this a significant vulnerability.

That said, one mitigating factor somewhat limits its severity. An attacker can only exploit the flaw if he has access to your XTM appliance’s web management interface. By default, physical XTM appliances only allow web management access to the trusted network. As long as you haven’t specifically changed the WatchGuard Web UI policy to allow external access, Internet-based attackers cannot exploit this flaw against you.

However, this is not the case for XTMv users (the virtual version of our XTM platform). As a virtual appliance, XTMv has no concept of what is internal or external until you attach its virtual interfaces to physical ones, using your hypervisor software. To make its setup easier, XTMv allows access to the web management UI from all interfaces. In other words, this flaw poses a  higher risk to XTMv appliances, if you haven’t restricted the web management policy manually.

Security best practices suggest that you limit access to your security appliance’s management interfaces. If you configure the WatchGuard Web UI policy to limit access to the management interface to only those you trust, this flaw should pose minimal risk. In any case, we still consider it a significant vulnerability, and recommend you upgrade to Fireware XTM 11.8 to fix it.

We’d like to thank Jerome Nokin and Thierry Zoller from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering and responsibly disclosing this flaw, and thank the CERT team for coordinating the disclosure and response.

Update: If you’d like to read a very detailed report on how the researcher found this vulnerability, visit his blog.

Severity rating: High

• Reflective XSS vulnerabilities in WatchGuard Server Software’s WebCenter (CVE-2013-5702)

WebCenter is the web-based logging and reporting UI that ships with the Server Software included with WSM. The WebCenter web application suffers from a few cross-site scripting (XSS) vulnerabilities involving some of its URL parameters. If an attacker can trick your XTM or WebCenter administrator into clicking a specially crafted link, he could exploit these vulnerabilities to execute script in that user’s browser, under the context of the WebCenter application. Among other things, this mean the attacker could do anything in the WebCenter application that your user could do.

However, it would take significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick a WebCenter administrator into clicking a link before the attack can take place. Furthermore, the link does not bypass Webcenter’s authentication. This means that unless the victim is already logged on to WebCenter, she would also have to enter her WebCenter credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8 to fix these XSS flaws quickly.

We’d like to thank Julien Ahrens of RCE Security for bringing this matter to our attention, and disclosing it responsibly.

Severity rating: Medium

Solution Path:

WatchGuard Fireware XTM and WSM 11.8 correct both of these security issues. We recommend you download and install 11.8 to fix these vulnerabilities. You can find more details about 11.8 in our software announcement post.

For older appliances,  such as the e-Series devices, or an XTM 21, 22, and 23 appliances, Fireware XTM 11.6.7 and 11.3.7 also corrects this buffer overflow vulnerability.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

• Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t exploit this cookie buffer overflow flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access, the less likely an attacker could exploit this flaw.
• Limit access to WebCenter, and train administrators against clicking unsolicited links. If you like, you can also use your XTM appliance and local host firewall policy to limit access to WebCenter (running on tcp port 4130 on your WatchGuard Server). This will minimize the amount of victims a maliciously crafted link would work against. Furthermore, we recommend you train your administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.

FAQ:

Are any of WatchGuard’s other products affected?

No. These flaws only affect our XTM appliances, and the WebCenter software that ships with WSM Server Software.

What exactly is the vulnerability?

One is a buffer overflow that allows attackers to execute code on your XTM appliance, and another is a cross-site scripting (XSS) vulnerability that could allow an attacker to gain unauthorized access to WebCenter, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Yes. The buffer overflow flaw could potentially give attackers access to your XTM security appliance. Though the WGagent process involved runs with low OS privileges, it does have enough privilege to access your appliance’s configuration file, and to change things like your passwords. However, attackers could only exploit this flaw if they had access to the web management UI, which most administrators block from the Internet. For most cases, this flaw primarily poses an internal risk.

How serious is the vulnerability?

Mitigating circumstances aside, we consider the buffer overflow flaw a high risk vulnerability, and recommend you update to 11.8 as soon as possible. The XSS flaws pose lesser risk.

How was this vulnerability discovered?

These flaws were discovered by Jerome Nokin and Thierry Zoller of Verizon Enterprise Solutions, and by Julien Ahrens of RCE Security, and were both confidentially reported to WatchGuard through a very responsible process. We thank them all for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild. However, shortly after our alert, the researcher who discovered the buffer overflow flaw shared his proof of concept (PoC) exploit code publicly. This code makes it easier for unskilled attackers to try and exploit this flaw. To make sure no one can exploit this issue against you, we highly recommend your upgrade to 11.8, or be sure not to expose your web management interface externally.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com