FireEye Operating System (FEOS) updates that address a series of security vulnerabilities have been released for several products, FireEye announced on Tuesday.
The updates fix flaws in FEOS NX, EX, AX, FX and CM. The company advises customers to upgrade their installations to NX 7.1.1.222846, EX 7.1.1.222846, AX 7.1.0.223064, FX 7.1.0.224362 and CM 7.1.1.222846, versions that have been released on June 12, except for FX, which was made available on June 30. FireEye points out the fact that the 7.1.2 special version of CM does not contain all the fixes, which is why users should upgrade to version 7.2.0 or above.
These new versions address a total of five OpenSSL vulnerabilities that were disclosed by the OpenSSL Project on June 5. The most critical of these security holes (CVE-2014-0224) could have been exploited to decrypt traffic through man-in-the-middle (MitM) attacks. FireEye believes that its products are only affected by this particular flaw, but fixes have been implemented for the other issues as a precaution.
Silent Signal has been credited for reporting an “important” severity post-authentication command injection vulnerability in the command-line interface of the FEOS.
“An attacker could issue a special sequence of commands that would allow them to execute arbitrary shell commands in the underlying operating system of the appliance. To take advantage of this vulnerability, an attacker must be able to communicate with the SSH management interface of the appliance AND have valid login credentials, or the attacker must have physical access to the console interfaces of the appliance,” FireEye explained in its advisory.
Other FEOS flaws patched by FireEye include command and SQL injections in the Web user interface, cross-site scripting (XSS), cross-site request forgery (CSRF), and file system read and write issues. The company says it has also updated insecure third-party libraries, made some adjustments to make sure processes are not executed with privileges that are higher than necessary, and ensured that some internal services are not unnecessarily exposed via TCP/IP.
These problems were uncovered by an independent external vulnerability assessment company and they could have only been exploited by an attacker with access to the management interface. There’s no evidence that these bugs have been exploited in the wild, FireEye said. Except for the OpenSSL issues, no CVE identifiers have been assigned to the vulnerabilities.