FireEye Appliances affected by a critical flaw simply exploitable

Security experts at the Google Project Zero team have discovered a critical flaw in FireEye appliances that could be exploited via email.

A remote code execution vulnerability dubbed “666” affect FireEye Appliances, hackers can exploit the flaw simply by sending an email or tricking users into clicking on a link.

The 666 vulnerability resided in a module designed to analyze Java Archive (JAR) files, so the attacker can exploit it by sending a specially crafted JAR file across a network protected by FireEye appliances. The flaw has been coded “666” because of its ID in the Project Zero bug tracker.

This is possible by sending an email containing such a JAR file to the targeted organization, be aware because it is worth noting that the email would not have to be read for the malicious code to get executed because the appliances analyze the JAR archive anyway.

In the alternative, the attacker can share with someone in the organization a link pointing to a crafted JAR file. FireEye appliances automatically scan for files circulating in the network, but the same behavior could be exploited to trigger the RCE vulnerability without user interaction.

“The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network.” States the advisory published by the Project Zero. “This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.”

FireEye appliances are used by enterprise to monitor internal networks, they are able to monitor FTP, HTTP, SMTP and other protocols searching for potential threats.

The exploitation of the flaw could allow attackers to compromise networks protected by the security products.

This made it possible for the RCE vulnerability found by Google researchers to be exploited without user interaction.

Earlier this month, the researchers Tavis Ormandy and Natalie Silvanovich from the Google Project Zero announced the discovery of the critical flaw.

Frey immediately worked to fix the security issue reported by the hackers.

The experts announced last week that they had developed a reliable exploit for a remote code execution (RCE) vulnerability affecting FireEye’s Malware Protection System (MPS).

“Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet,” Ormandy explained.

Of course, they avoided providing further technical details, but Ormandy noted on Twitter that the bug likely affected “every version ever shipped.”

According to Tavis Ormandy and Natalie Silvanovich, the issue affected FireEye’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products. The experts at FireEye promptly patched the remote code execution (RCE) vulnerability within two days even they issued a temporary workaround within hours.

FireEye released the security content version 427.334.

The flaw discovered by the Google Project Zero team is unique, the experts also discovered a privilege escalation vulnerability that could have been exploited to obtain root access to a FireEye device.

The details of this second flaw have not been disclosed because the vendor is still working on a permanent fix.

The joint exploitation of the two flaws could allow the a threat actor to compromise the internal network by deploying a stealth rootkit on the affected appliance and syphon sensitive data from the targeted host.

Pierluigi Paganini

(Security Affairs – FireEye Appliances, hacking)