Categories: Breaking NewsHacking

FireEye Appliances affected by a critical flaw simply exploitable

Security experts at the Google Project Zero team have discovered a critical flaw in FireEye appliances that could be exploited via email.

A remote code execution vulnerability dubbed “666” affect FireEye Appliances, hackers can exploit the flaw simply by sending an email or tricking users into clicking on a link.

The 666 vulnerability resided in a module designed to analyze Java Archive (JAR) files, so the attacker can exploit it by sending a specially crafted JAR file across a network protected by FireEye appliances. The flaw has been coded “666” because of its ID in the Project Zero bug tracker.

This is possible by sending an email containing such a JAR file to the targeted organization, be aware because it is worth noting that the email would not have to be read for the malicious code to get executed because the appliances analyze the JAR archive anyway.

In the alternative, the attacker can share with someone in the organization a link pointing to a crafted JAR file. FireEye appliances automatically scan for files circulating in the network, but the same behavior could be exploited to trigger the RCE vulnerability without user interaction.

“The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network.” States the advisory published by the Project Zero. “This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.”

FireEye appliances are used by enterprise to monitor internal networks, they are able to monitor FTP, HTTP, SMTP and other protocols searching for potential threats.

The exploitation of the flaw could allow attackers to compromise networks protected by the security products.

This made it possible for the RCE vulnerability found by Google researchers to be exploited without user interaction.

Earlier this month, the researchers Tavis Ormandy and Natalie Silvanovich from the Google Project Zero announced the discovery of the critical flaw.

Frey immediately worked to fix the security issue reported by the hackers.

The experts announced last week that they had developed a reliable exploit for a remote code execution (RCE) vulnerability affecting FireEye’s Malware Protection System (MPS).

“Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet,” Ormandy explained.

Of course, they avoided providing further technical details, but Ormandy noted on Twitter that the bug likely affected “every version ever shipped.”

According to Tavis Ormandy and Natalie Silvanovich, the issue affected FireEye’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products. The experts at FireEye promptly patched the remote code execution (RCE) vulnerability within two days even they issued a temporary workaround within hours.

FireEye released the security content version 427.334.

The flaw discovered by the Google Project Zero team is unique, the experts also discovered a privilege escalation vulnerability that could have been exploited to obtain root access to a FireEye device.

The details of this second flaw have not been disclosed because the vendor is still working on a permanent fix.

The joint exploitation of the two flaws could allow the a threat actor to compromise the internal network by deploying a stealth rootkit on the affected appliance and syphon sensitive data from the targeted host.

Pierluigi Paganini

(Security Affairs – FireEye Appliances, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.