oss-sec mailing list archives
CVE-2022-31790 CVE-2022-31789: Watchguard XTM/Firebox firewalls: Multiple vulnerabilities
From: Charles Fol <c.fol () lexfo fr>
Date: Tue, 30 Aug 2022 16:25:12 +0200
Hello,While performing a red-team assessment we discovered a few vulnerabilities on Watchguard firewalls of the XTM/Firebox brand:
Here are the different CVEs and WSGA references for the bugs: - Xpath time-based injection in wgcgi: CVE-2022-31790, WSGA-2022-00017- Integer overflow leading to UAF/overflow in wgagent: CVE-2022-31789, WSGA-2022-00015
- Local privilege escalation from nobody to root: WSGA-2022-00018Combined, the two latter bugs lead to pre-authentication remote code execution as root on XTM/Firebox devices. Although the second bug is present in both XTM and Firebox models, the exploitation differs as the libc (ptmalloc) version is different, (respectively 2.19 and 2.28).
A very in-depth blog-post is available here: https://www.ambionics.io/blog/hacking-watchguard-firewalls References: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00015 https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00017 https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00018 Regards, Charles
Current thread:
- CVE-2022-31790 CVE-2022-31789: Watchguard XTM/Firebox firewalls: Multiple vulnerabilities Charles Fol (Aug 30)
- Re: CVE-2022-31790 CVE-2022-31789: Watchguard XTM/Firebox firewalls: Multiple vulnerabilities Moritz Mühlenhoff (Aug 30)
- Re: CVE-2022-31790 CVE-2022-31789: Watchguard XTM/Firebox firewalls: Multiple vulnerabilities Roxana Bradescu (Sep 01)
- Re: CVE-2022-31790 CVE-2022-31789: Watchguard XTM/Firebox firewalls: Multiple vulnerabilities Moritz Mühlenhoff (Aug 30)