Summary:
- This vulnerability affects: WatchGuard Fireware XTM 11.8.1 and earlier
- How an attacker exploits it: Either by enticing an XTM administrator into clicking a specially crafted link or by directly interacting with the appliance's web management UI (requires authentication)
- Impact: An attacker can execute script in the context of the XTM management web UI, which could allow him to attempt to phish your credentials or gain access to your cookies or session information
- What to do: Install Fireware XTM 11.8.3 (and limit access to the XTM web management interface)
Exposure:
Recently, we released WSM and Fireware XTM 11.8.3, which delivers many customer requested fixes and enhancements to XTM administrators. It also corrects a web application vulnerability reported to us by William Costa (a security researcher and consultant) via US-CERT's coordinated disclosure process.
Fireware XTM includes a Web UI, which you can use to manage your XTM appliance through a web browser. One of the parameters in the firewall policy management pages (pol_name) suffers from a reflective cross-site scripting (XSS) vulnerability, due to it's lack on input validation. If an attacker can trick your XTM administrator into clicking a specially crafted link, he could exploit this vulnerability to execute script in that user's browser under the context of the XTM Web UI. Among other things, this could mean the attacker might do anything in the Web UI that your user could do.
However, it takes significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick an XTM administrator into clicking a link before the attack can take place (unless the attacker has direct access to the Web UI, and valid credentials of his own). Furthermore, the link does not bypass the Web UI authentication. This means that unless the victim is already logged into the Web UI, she would also have to enter her XTM credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8.3 to fix this XSS flaw quickly.
We’d like to thank William Costa for discovering and responsibly disclosing this flaw, and thank the US-CERT team for coordinating the disclosure and response. We will update this alert with links to US-CERT's advisory when available.
Solution Path:
WatchGuard Fireware XTM 11.8.3 corrects this security issue. We recommend you download and install 11.8.3 to fix this vulnerability. You can find more details about 11.8.3 in our release notes.
If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.
- Restrict access to your appliance's web management UI using the WatchGuard Web UI policy. By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can't directly exploit this XSS flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets, use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access to the web interface, the less likely an attacker could directly exploit this flaw. Furthermore, this XSS attack does not bypass authentication. So even if an external attacker had access to your Web UI they'd need valid credentials to directly exploit this issue (making it a moot issue since they'd already have access to the web management interface).
- Train administrators against clicking unsolicited links. In order to exploit this flaw, and attacker would have to trick one of your administrators into clicking a maliciously crafted link, and then entering his valid XTM management credentials. We recommend you train your XTM administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.
FAQ:
Are any of WatchGuard's other products affected?
No. These flaws only affect Fireware 11.8.1 and below running on our XTM appliances.
What exactly is the vulnerability?
A reflective cross-site scripting (XSS) vulnerability that could allow an attacker to run malicious script, and possibly gaining unauthorized access to your Web UI, assuming he can trick an administrator into clicking a malicious link.
Do these give attackers access to my XTM security appliance?
Potentially. The XSS vulnerability allows attackers to execute script in the context of your XTM appliance's web UI. Attackers could leverage this to do many things, including stealing your session cookie, or designing a pop-up window designed to phish your credentials. It is possible the attacker might gain enough information to hijack your web session, or login to the web UI.
How serious is the vulnerability?
The XSS flaws poses a medium to low risk. Though attackers can use reflective XSS flaws to gain access to sensitive information, they require significant user interaction; in this case, both clicking a link and entering your credentials. This mitigating factors lessen the severity of this flaw. However, we still recommend you apply this update to fix it.
How was this vulnerability discovered?
These flaws were discovered by an external security researcher, William Costa, who reported them responsibly through US-CERT's coordinated disclosure process. We thank them both for working with us to keep our customers secure.
Do you have any indication that this vulnerability is being exploited in the wild?
No, at this time we have no indication that these vulnerabilities are being exploited in the wild.
