WARNING: Watchguard released security updates addressing four vulnerabilities affecting Firebox/XTM appliances
CVE-2022-26318 (WGSA-2022-00002) - CVSS: 9.8
CVE-2022-31789 (WGSA-2022-00015) - CVSS: 9.8
CVE-2022-31790 (WGSA-2022-00017) - CVSS: 7.5
CVE-2022-31791 (WGSA-2022-00018) - CVSS: 4.4
Sources
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00002
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00015
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00017
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00018
Risks
Watchguard released a security update addressing four vulnerabilities affecting Firebox/XTM appliances, one of which is actively being exploited in the wild (CVE-2022-31789) and another that is a zero-day (CVE-2022-31791).
Description
CVE-2022-26318 allows an unauthenticated remote attacker to potentially execute arbitrary code via exposed management access.
CVE-2022-31789 allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious request to exposed management ports.
CVE-2022-31790 allows an unauthenticated remote attacker to retrieve sensitive authentication server settings by sending a malicious request to exposed authentication endpoints.
CVE-2022-31791 allows an attacker to execute commands in order to escalate their privileges to root user.
Recommended Actions
The Centre for Cyber Security Belgium recommends administrators to check if they have vulnerable versions of Watchguard Firebox/XTM devices. If that is the case, the CCB strongly recommends applying the available patches as soon as possible.
- For CVE-2022-31789, CVE-2022-31790 and CVE-2022-31791 patch to Fireware OS 12.8.1, 12.5.10 and 12.1.4.
- For CVE-2022-26318 patch to Fireware OS 12.8, 12.7.2_U2, 12.5.9_U2, 12.1.3_U8.
The Centre for Cyber Security Belgium also advises to not expose unrestricted management access to the internet.