Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Flaw in FireEye Appliances Exploitable by Sending an Email

Simply just sending an email or getting a user to click on a link was enough to exploit a critical remote code execution vulnerability in FireEye appliances and compromise networks protected by the security products.

Simply just sending an email or getting a user to click on a link was enough to exploit a critical remote code execution vulnerability in FireEye appliances and compromise networks protected by the security products.

The flaw was identified earlier this month by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. The issue affected FireEye’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products and it was permanently patched by the vendor within two days with the release of security content version 427.334. Temporary mitigations were rolled out by the company within hours.

The vulnerability, dubbed “666” because of its ID in the Project Zero issue tracker, plagued a module designed to analyze Java Archive (JAR) files. An attacker simply needed to send a specially crafted JAR file across a network protected by FireEye appliances. If the malicious file pretended to use string obfuscation, it would get executed by the FireEye product, Ormandy said in a blog post.

An attacker could have exploited the vulnerability by sending an email containing such a JAR file to the targeted organization — it’s worth noting that the email would not have to be read for the malicious code to get executed — or by getting a user to click on a link pointing to a crafted JAR file.

FireEye appliances are installed on the internal network and they passively monitor traffic. The products monitor FTP, HTTP, SMTP and other traffic and when a file transfer is detected, the file is automatically extracted and scanned for malware. This made it possible for the RCE vulnerability found by Google researchers to be exploited without user interaction.

Project Zero researchers also discovered a privilege escalation vulnerability that could have been exploited to obtain root access to a FireEye device. However, the details of this security hole have not been disclosed because the vendor has yet to release a permanent fix.

A malicious actor could have used these two vulnerabilities to load a persistent rootkit on the affected appliance, intercept traffic, steal sensitive information, insert backdoors, and move laterally across a network.

“Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet,” Ormandy explained.

“We are thankful for the opportunity to support the Google team in this process, will continue to support their efforts, and fully support the broader security research community’s efforts to test and improve our products,” FireEye representatives told SecurityWeek last week after the existence of the vulnerability came to light.

Google Project Zero researchers have found serious vulnerabilities in several security products, including ones from ESET, Kaspersky, Avast and Sophos. More recently, Ormandy reported finding a critical stack buffer overflow flaw in Avast products. The issue has been resolved by the antivirus company.

“This vulnerability only affected Linux and we reacted quickly to release a fix to our users. The fix was sent out via our virus definitions update, so our users weren’t required to take any action,” Avast told SecurityWeek.

*Updated with statement from Avast

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.