WatchGuard Firewall Vulnerabilities leads to Takeover

WatchGuard has patched several vulnerabilities in two main firewall brands that have been rated between medium and critical severity.

Both the Firebox and XTM ranges were implicated earlier this year in several hacking attacks, with Russian state-sponsored threat actor Sandworm abusing a privilege escalation flaw to build a botnet called Cyclops Blink that was taken down in April.

Researchers found five in the WatchGuard products, of which two were patched during his research, which is documented in a write-up published earlier this week. The three remaining flaws were blind Xpath injection, allowing him to retrieve the configuration of a device, including master credentials; integer overflow, which allowed an attacker to execute malicious code on remote appliances; and a third vulnerability that meant it was possible to escalate privileges from a low-privilege user into the root.

WatchGuard users now have their administration interface exposed on the internet, thanks to the many security alerts that were being generated at the time of his research, including those relating to Cyclops Blink.

Xpath vulnerability is reachable through the standard, client interface, and as such is much more likely to be exposed; a quick Shodan search revealed around 350,000 instances. Users are advised to remove their administration interface from the internet and make sure they keep their systems up to date.

Researchers reported the vulnerabilities at the end of March. A month later, WatchGuard’s security team confirmed that a patch would be available on June 21.

This research was done and documented by researchers from Ambionics Security