Google researchers find code-execution bug in FireEye threat-prevention devices which can give hackers complete access to networks
Almost all companies install cyber security solutions to safeguard their networks against malicious vectors like hacking, spamming etc. Imagine what happens if there is a vulnerability in once such security device meant to protect your network.
Now, researchers say they have uncovered a critical vulnerability in such a product from security firm FireEye that can give attackers full network access.
According to Tavis Ormandy from Google, they have discovered an vulnerability in the NX, EX, AX, FX series of FireEye products. Ormandy says that the vulnerability makes it possible for attackers to penetrate a network by sending one of its members a single malicious e-mail, even if it’s never opened.
Ormandy, who has already uncovered bugs in many anti-virus solutions in the past says that they have informed FireEye about the bug. Ormandy has explained in a blog post published Tuesday:
For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap—the recipient wouldn’t even have to read the email, just receiving it would be enough.
‘A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations* an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.’
The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there’s a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones.
“Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network,” the researchers reported. “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
In a statement, a FireEye spokesman wrote:
On Friday December 4, FireEye was informed of and confirmed a Remote Code Execution (RCE) vulnerability impacting our NX, EX, AX, and FX products by Google Project Zero’s Tavis Ormandy. FireEye had been engaged with and was supporting the Google Project Zero team prior to this discovery around the testing of our products.
We released an automated remediation to customers just 6 hours after notification, mitigating any customer exposure by Saturday morning, December 5th and released a full, automated fix on Monday, December 7. In addition, we will be releasing a fix to support our out-of-contract customers.
We are thankful for the opportunity to support researchers in the testing of our products and will continue to support their efforts and fully support their efforts to improve our products.