Last updated at Thu, 23 Jun 2022 22:39:24 GMT
A remote and low-privileged WatchGuard Firebox or XTM user can read arbitrary system files when using the SSH interface due to an argument injection vulnerability affecting the
diagnose command. Additionally, a remote and highly privileged user can write arbitrary system files when using the SSH interface due to an argument injection affecting the
import pac command. Rapid7 reported these issues to WatchGuard, and the vulnerabilities were assigned CVE-2022-31749. On June 23, Watchguard published an advisory and released patches in Fireware OS 12.8.1, 12.5.10, and 12.1.4.
WatchGuard Firebox and XTM appliances are firewall and VPN solutions ranging in form factor from tabletop, rack mounted, virtualized, and “rugged” ICS designs. The appliances share a common underlying operating system named Fireware OS.
At the time of writing, there are more than 25,000 WatchGuard appliances with their HTTP interface discoverable on Shodan. There are more than 9,000 WatchGuard appliances exposing their SSH interface.
In February 2022, GreyNoise and CISA published details of WatchGuard appliances vulnerable to CVE-2022-26318 being exploited in the wild. Rapid7 discovered CVE-2022-31749 while analyzing the WatchGuard XTM appliance for the writeup of CVE-2022-26318 on AttackerKB.
CVE-2022-31749 is an argument injection into the
ftpget commands. The arguments are injected when the SSH CLI prompts the attacker for a username and password when using the
import pac commands. For example:
WG>diagnose to ftp://test/test Name: username Password:
The “Name” and “Password” values are not sanitized before they are combined into the “ftpput” and “ftpget” commands and executed via
librmisvc.so. Execution occurs using
execle, so command injection isn’t possible, but argument injection is. Using this injection, an attacker can upload and download arbitrary files.
File writing turns out to be less useful than an attacker would hope. The problem, from an attacker point of view, is that WatchGuard has locked down much of the file system, and the user can only modify a few directories: /tmp/, /pending/, and /var/run. At the time of writing, we don’t see a way to escalate the file write into code execution, though we wouldn’t rule it out as a possibility.
The low-privileged user file read is interesting because WatchGuard has a built-in low-privileged user named
status. This user is intended to “read-only” access to the system. In fact, historically speaking, the default password for this user was “readonly”. Using CVE-2022-31749 this low-privileged user can exfiltrate the
configd-hash.xml file, which contains user password hashes when Firebox-DB is in use. Example:
<?xml version="1.0"?> <users> <version>3</version> <user name="admin"> <enabled>1</enabled> <hash>628427e87df42adc7e75d2dd5c14b170</hash> <domain>Firebox-DB</domain> <role>Device Administrator</role> </user> <user name="status"> <enabled>1</enabled> <hash>dddbcb37e837fea2d4c321ca8105ec48</hash> <domain>Firebox-DB</domain> <role>Device Monitor</role> </user> <user name="wg-support"> <enabled>0</enabled> <hash>dddbcb37e837fea2d4c321ca8105ec48</hash> <domain>Firebox-DB</domain> <role>Device Monitor</role> </user> </users>
Rapid7 has published a proof of concept that exfiltrates the
configd-hash.xml file via the
diagnose command. The following video demonstrates its use against WatchGuard XTMv 12.1.3 Update 8.
Apply the WatchGuard Fireware updates. If possible, remove internet access to the appliance's SSH interface. Out of an abundance of caution, changing passwords after updating is a good idea.
WatchGuard thanks Rapid7 for their quick vulnerability report and willingness to work through a responsible disclosure process to protect our customers. We always appreciate working with external researchers to identify and resolve vulnerabilities in our products and we take all reports seriously. We have issued a resolution for this vulnerability, as well as several internally discovered issues, and advise our customers to upgrade their Firebox and XTM products as quickly as possible. Additionally, we recommend all administrators follow our published best practices for secure remote management access to their Firebox and XTM devices.
March, 2022: Discovered by Jake Baines of Rapid7
Mar 29, 2022: Reported to Watchguard via support phone, issue assigned case number 01676704.
Mar 29, 2022: Watchguard acknowledged follow-up email.
April 20, 2022: Rapid7 followed up, asking for progress.
April 21, 2022: WatchGuard acknowledged again they were researching the issue.
May 26, 2022: Rapid7 checked in on status of the issue.
May 26, 2022: WatchGuard indicates patches should be released in June, and asks about CVE assignment.
May 26, 2022: Rapid7 assigns CVE-2022-31749
June 23, 2022: This disclosure