Severity:High
15 December, 2011
Summary:
- This vulnerability affects: WatchGuard System Manager (WSM) v11.5.1
- How an attacker exploits it: Multiple vectors of attack, including enticing you to click a maliciously crafted link, or sending specially crafted network traffic through an XTM appliance and having you view the resulting logs in our Web UI
- Impact: In the worst case, an attacker can execute code in your browser with elevated privileges, possibly hijacking your web browser
- What to do: Install WSM 11.5.1 Update 1 at your earliest convenience
Exposure:
A few weeks ago, WatchGuard released Fireware XTM OS and WatchGuard System Manager (WSM) v11.5.1. Among other things, this release includes a newly designed Log and Report Manager Web UI, which greatly improves our logging and reporting interface, making it dramatically faster and easier to use.
However, shortly after the release of WSM v11.5.1, we learned of two privately reported and two internally discovered security issues that affect our Log and Report Manager Web UI. WSM v11.5.1 Update 1 fixes all four of those security issues. We describe these issues in a bit more detail below:
- BUG 64549: Persistent XSS Vulnerability in Log Messages (CVE-2011-4774)
The Log and Report Manager Web UI does not properly sanitize log data it retrieves from the log database, before displaying it in the Web UI. By sending specially crafted traffic through your XTM appliance (such as maliciously crafted email or FTP connections), an attacker can fill your logs with messages that contain malicious web script. When you view these logs within the Log and Report Manager Web UI, they could trigger a Cross-Site Scripting (XSS) vulnerability, which allows the attacker to execute scripts in your web browser under the context of our Web UI. Since these malicious logs would remain in your log database until you specifically deleted them, this flaw is a persistent XSS vulnerability.
In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. That said, a few factors somewhat mitigate the severity of this issue. In order to exploit this flaw, an attacker would have to know you manage a WSM server with v11.5.1. He’d also have to send very specially crafted traffic through your XTM appliance, which would need policies that allow such traffic. Finally, though this attack may allow the attacker to gain elevated privilege in your web browser, it would not give the attacker access to your XTM appliance, or the ability to change firewall rules. Nonetheless, we consider this a fairly serious vulnerability, and recommend you update as soon as you can. We’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.
Severity: High
- BUG 64551: Reflected XSS Vulnerability in URL Parameters (CVE-2011-4774)
The Log and Report Manager Web UI also does not properly sanitize inputs entered into certain URL parameters. By enticing you to click onto a specially crafted link, or by intercepting and modifying URL parameters, an attacker could exploit this flaw to trigger another XSS vulnerability. The impact of this flaw is the same as the one described above; an attacker can leverage it to steal web cookies, hijack your web session, or essentially take any action you could in the Log and Report Web UI. This is a reflected XSS flaw since the attack only occurs once, when you click the malicious link.
Like the flaw described above, an attacker would first have to know you manage an XTM appliance with WSM v11.5.1 to exploit this flaw. Furthermore, the attacker would then need to entice you to click a malicious link, which makes this XSS vulnerability slightly less severe than the one described above. Again, we’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.
Severity: Medium
- Two Low-Severity Nessus-Reported Vulnerabilities
Our own internal tests identified two minor security issues in our Log and Report Web UI, which were reported by Nessus scans. You can learn more about these issues from the links provided below:
- Nessus Plugin ID 49067: CGI Generic HTML Injections
- Nessus Plugin ID 55976: Apache HTTP Server Byte Range DoS
In both cases, your WSM server is protected by your XTM appliance, making it unlikely that an external attacker could exploit either of these minor flaws. We believe they pose very low risk, but still recommend you apply Update 1 as soon as you can.
Severity: Low
Solution Path:
WSM v11.5.1 Update 1 fixes all four of these security issues. XTM appliance administrators who have installed WSM v11.5.1 should download and install Update 1 at their earliest convenience.
FAQ:
Are any of WatchGuard’s other products affected?
No. To our knowledge, these vulnerabilities only affect the new WSM v11.5.1 Log and Report Manager Web UI.
What exactly are the vulnerabilities?
The worst of these four vulnerabilities are the Cross-Site Scripting (XSS) vulnerabilities, which can allow attackers to execute scripts in your web browser under the context of our Web UI. In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. However, attackers cannot leverage these flaws to gain access to your XTM appliance or change firewall rules.
How serious is the vulnerability?
We believe the two XSS vulnerabilities are fairly serious. However some mitigating factors will likely limit attackers from exploiting these flaws in the real world. In general, XSS flaws can be very dangerous. Tools like the Browser Exploitation Framework (BeEF) have illustrated that attackers can leverage simple XSS flaws to gain significant control of your browser, and possibly your computer. That said, attackers would have to know a lot about you and your organization to exploit these particular XSS vulnerabilities. Specifically, they’d have to know you manage a WSM v11.5.1 server, and either get you to click a link, or view a specific log message in our Web UI. This would likely only happen in a very targeted attack. Furthermore, these flaws would not give the attacker access to your XTM appliance. That said, as a security company, WatchGuard takes any vulnerability in our products very seriously. We suggest you install WSM v11.5.1 Update 1 as soon as possible.
Other than installing Update 1, is there a workaround?
Not really. Obviously, if you avoid clicking malicious phishing links, then an attacker couldn’t exploit the reflected XSS attack. However, even the most savvy security professional sometimes can click the wrong link. If you do not allow any incoming traffic through your XTM appliance, then an attacker may not be able to booby-trap your log files with specially crafted messages. However, most organizations have policies to at least allow email traffic. This alone could allow an external attacker to corrupt your logs. We highly recommend you install WSM v11.5.1 Update 1 to correct these issues.
Where can I go to get the hotfix?
WSM 11.5.1 Update 1 is currently available in the Articles & Software section of WatchGuard’s Support Center. Look for it under the Management Software section for your XTM appliance.
How was this vulnerability discovered?
Two of these vulnerabilities were discovered by Wayne Murphy of Sec-1 (@Sec1Ltd), and confidentially reported to WatchGuard. We thank Mr. Murphy for working with us to keep our customers secure. The remaining issues were discovered internally.
Do you have any indication that this vulnerability is being exploited in the wild?
No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future.
Who can I contact at WatchGuard if I have more questions?
If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:
Corey Nachreiner, CISSP.
Senior Network Security Strategist
WatchGuard Technologies, Inc.
http://www.watchguard.com
[email protected]
jingram says
Just WSM or does fireware need to be upgraded as well?
Corey Nachreiner says
This is just a WSM update. You only need to update it.
Angelos says
when i download it and try to install it, it asks that i remove the previous version… why is that? what would happen on the management server? any ideas? perhaps i downloaded the wrong one?
Angelos says
and do we need to do this on the server only? or on our management stations as well?
Corey Nachreiner says
First, sorry for the late reply. I was out for the holiday (hope you had a great holiday yourself).
WSM will need to remove the older version to install itself. You definitely should update your WSM server, but you also need to update your management servers too. Remember, one of the vulnerabilities this fixes is a XSS flaw that could be triggered when an administrator views logs via WSM. Even if the log server is on another machine, it would affect the administrator viewing logs from any WSM server. So you should update all machines running WSM.
Cheers,
Corey
Travler says
I’m getting ready to update my XTM810 from 11.4.2 to 11.5.1 by downloading the 11.5.1 files from the Watchguard download page. Can I assume that this download contains the 11.5.1 with Update 1, or will I neeed to download Update 1 separately when I’m finished? (If so, I’m not seeing where to download it from.)
Thanks!
Travler says
Nevermind! If I’d have looked a bit further, I’d have seen the Release Notes and found the big blurb with the exclamation mark telling me that Update 1 was indeed included in the current download.
Sorry for the wasted post!
Corey Nachreiner says
I’m glad to see you figured out the answer on your own, but sorry I didn’t get back to you earlier.
As you found, that latest version of WSM 11.5.1 on our site comes with Update 1. That is all you will need to fix these issues.
Note: since you are upgrading your 810 from 11.4.x to 11.5.1, you will also need to download and install the new Fireware OS 11.5.1 for you appliance. But that is just part of your normal upgrade process, and is not associated with this security fix… the Update 1 security fix is only in the WSM software, not the Fireware image.