Security Experts:

Critical Flaw in FireEye Appliances Exploitable by Sending an Email

Simply just sending an email or getting a user to click on a link was enough to exploit a critical remote code execution vulnerability in FireEye appliances and compromise networks protected by the security products.

The flaw was identified earlier this month by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. The issue affected FireEye’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products and it was permanently patched by the vendor within two days with the release of security content version 427.334. Temporary mitigations were rolled out by the company within hours.

The vulnerability, dubbed “666” because of its ID in the Project Zero issue tracker, plagued a module designed to analyze Java Archive (JAR) files. An attacker simply needed to send a specially crafted JAR file across a network protected by FireEye appliances. If the malicious file pretended to use string obfuscation, it would get executed by the FireEye product, Ormandy said in a blog post.

An attacker could have exploited the vulnerability by sending an email containing such a JAR file to the targeted organization — it’s worth noting that the email would not have to be read for the malicious code to get executed — or by getting a user to click on a link pointing to a crafted JAR file.

FireEye appliances are installed on the internal network and they passively monitor traffic. The products monitor FTP, HTTP, SMTP and other traffic and when a file transfer is detected, the file is automatically extracted and scanned for malware. This made it possible for the RCE vulnerability found by Google researchers to be exploited without user interaction.

Project Zero researchers also discovered a privilege escalation vulnerability that could have been exploited to obtain root access to a FireEye device. However, the details of this security hole have not been disclosed because the vendor has yet to release a permanent fix.

A malicious actor could have used these two vulnerabilities to load a persistent rootkit on the affected appliance, intercept traffic, steal sensitive information, insert backdoors, and move laterally across a network.

“Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet,” Ormandy explained.

“We are thankful for the opportunity to support the Google team in this process, will continue to support their efforts, and fully support the broader security research community’s efforts to test and improve our products,” FireEye representatives told SecurityWeek last week after the existence of the vulnerability came to light.

Google Project Zero researchers have found serious vulnerabilities in several security products, including ones from ESET, Kaspersky, Avast and Sophos. More recently, Ormandy reported finding a critical stack buffer overflow flaw in Avast products. The issue has been resolved by the antivirus company.

“This vulnerability only affected Linux and we reacted quickly to release a fix to our users. The fix was sent out via our virus definitions update, so our users weren't required to take any action,” Avast told SecurityWeek.

*Updated with statement from Avast

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.