Overall Severity: High
- These vulnerabilities affect: WatchGuard WSM and Fireware XTM 11.7.4 and earlier
- How an attacker exploits them: Either by enticing
an XTM administrator into clicking a specially crafted link or by
visiting the appliance’s web management UI with a malicious cookie
- Impact: In the worst case, an attacker can execute code on the XTM appliance (see mitigating factors below)
- What to do: Install WSM and Fireware XTM 11.8 (and limit access to the XTM web management interface)
Last week, we released WSM and Fireware XTM 11.8, which delivers a
number of powerful new features to XTM administrators. However, it also
fixes two externally reported security vulnerabilities. Though both
vulnerabilities have mitigating factors that somewhat limit their
severity, you should still patch them quickly.
If you haven’t already installed 11.8 for its great new features, we
recommend you install it for these security fixes. We summarize the two
WGagent is one of the processes running on an XTM appliance. Among other things, WGagent is responsible for parsing the web cookies sent to the appliance’s web management interface. It suffers from a buffer overflow
vulnerability involving its inability to handle specially crafted
cookies containing an overly-long “sessionid.” By creating a maliciously
crafted cookie, and then connecting to your XTM appliance’s web
management interface (tcp port 8080), an unauthenticated attacker can
exploit this vulnerability to execute code on the appliance. Though the
WGagent process runs with low privileges (nobody) and from a chroot
jail, it does have enough privilege to access your appliance’s
configuration file and change passwords. So we consider this a
That said, one mitigating factor somewhat limits its severity. An
attacker can only exploit the flaw if he has access to your XTM
appliance’s web management interface. By default, physical XTM
appliances only allow web management access to the trusted network. As
long as you haven’t specifically changed the WatchGuard Web UI policy to allow external access, Internet-based attackers cannot exploit this flaw against you.
However, this is not the case for XTMv users (the virtual version of
our XTM platform). As a virtual appliance, XTMv has no concept of what
is internal or external until you attach its virtual interfaces to
physical ones, using your hypervisor software. To make its setup easier,
XTMv allows access to the web management UI from all interfaces. In
other words, this flaw poses a higher risk to XTMv appliances, if you
haven’t restricted the web management policy manually.
Security best practices suggest that you limit access to your security appliance’s management interfaces. If you configure the WatchGuard Web UI
policy to limit access to the management interface to only those you
trust, this flaw should pose minimal risk. In any case, we still
consider it a significant vulnerability, and recommend you upgrade to
Fireware XTM 11.8 to fix it.
We’d like to thank Jerome Nokin and Thierry Zoller from Verizon
Enterprise Solutions (GCIS Threat and Vulnerability Management) for
discovering and responsibly disclosing this flaw, and thank the CERT team for coordinating the disclosure and response.
Severity rating: High
- Reflective XSS vulnerabilities in WatchGuard Server Software’s WebCenter (CVE-2013-5702)
WebCenter is the web-based logging and reporting UI that
ships with the Server Software included with WSM. The WebCenter web
application suffers from a few cross-site scripting (XSS)
vulnerabilities involving some of its URL parameters. If an attacker
can trick your XTM or WebCenter administrator into clicking a specially
crafted link, he could exploit these vulnerabilities to execute script
in that user’s browser, under the context of the WebCenter application.
Among other things, this mean the attacker could do anything in the
WebCenter application that your user could do.
However, it would take significant interaction for this attack to succeed. It is a reflected XSS
attack, which means the attacker must trick a WebCenter administrator
into clicking a link before the attack can take place. Furthermore, the
link does not bypass Webcenter’s authentication. This means that unless
the victim is already logged on to WebCenter, she would also have to
enter her WebCenter credentials before this malicious link would work.
Despite these mitigating factors, we still recommend you install 11.8 to
fix these XSS flaws quickly.
We’d like to thank Julien Ahrens of RCE Security for bringing this matter to our attention, and disclosing it responsibly.
Severity rating: Medium
WatchGuard Fireware XTM and WSM 11.8 correct both of these security
issues. We recommend you download and install 11.8 to fix these
vulnerabilities. You can find more details about 11.8 in our software announcement post.
For older appliances, such as the e-Series devices, or an XTM 21, 22, and 23 appliances, Fireware XTM 11.6.7 and 11.3.7 also corrects this buffer overflow vulnerability.
If, for some reason, you are unable to update your XTM appliances
immediately, a few simple workarounds can significantly mitigate these
- Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy. By
default, our physical appliances do not allow external access to the
web management UI; meaning Internet-based attackers can’t exploit this
cookie buffer overflow flaw. If you like, you can fine-tune our policy
even more, further limiting access. For instance, you can restrict
access to very specific IP addresses or subnets, use our user
authentication capabilities to restrict access to certain users, or use
our mobile VPN options to restrict access to VPN users. The more you
limit access, the less likely an attacker could exploit this flaw.
- Limit access to WebCenter, and train administrators against clicking unsolicited links. If
you like, you can also use your XTM appliance and local host firewall
policy to limit access to WebCenter (running on tcp port 4130 on your
WatchGuard Server). This will minimize the amount of victims a
maliciously crafted link would work against. Furthermore, we recommend
you train your administrators about the dangers of clicking unsolicited
links, especially ones that connect you to security appliances, and ask
for additional authentication.
Are any of WatchGuard’s other products affected?
No. These flaws only affect our XTM appliances, and the WebCenter software that ships with WSM Server Software.
What exactly is the vulnerability?
One is a buffer overflow that allows attackers to execute code on your XTM appliance, and another is a cross-site scripting (XSS) vulnerability
that could allow an attacker to gain unauthorized access to WebCenter,
assuming he can trick an administrator into clicking a malicious link.
Do these give attackers access to my XTM security appliance?
Yes. The buffer overflow flaw could potentially give attackers access
to your XTM security appliance. Though the WGagent process involved
runs with low OS privileges, it does have enough privilege to access
your appliance’s configuration file, and to change things like your
passwords. However, attackers could only exploit this flaw if they had
access to the web management UI, which most administrators block from
the Internet. For most cases, this flaw primarily poses an internal
How serious is the vulnerability?
Mitigating circumstances aside, we consider the buffer overflow flaw a
high risk vulnerability, and recommend you update to 11.8 as soon as
possible. The XSS flaws pose lesser risk.
How was this vulnerability discovered?
These flaws were discovered by Jerome Nokin and Thierry Zoller of Verizon Enterprise Solutions, and by Julien Ahrens of RCE Security,
and were both confidentially reported to WatchGuard through a very
responsible process. We thank them all for working with us to keep our
Do you have any indication that this vulnerability is being exploited in the wild?
No, at this time we have no indication that these vulnerabilities are
being exploited in the wild. However, shortly after our alert, the
researcher who discovered the buffer overflow flaw shared his proof of
concept (PoC) exploit code publicly. This code makes it easier for
unskilled attackers to try and exploit this flaw. To make sure no one
can exploit this issue against you, we highly recommend your upgrade to
11.8, or be sure not to expose your web management interface externally.
Who can I contact at WatchGuard if I have more questions?
If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:
Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.