9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
A remote and low-privileged WatchGuard Firebox or XTM user can read arbitrary system files when using the SSH interface due to an argument injection vulnerability affecting the diagnose
command. Additionally, a remote and highly privileged user can write arbitrary system files when using the SSH interface due to an argument injection affecting the import pac
command. Rapid7 reported these issues to WatchGuard, and the vulnerabilities were assigned CVE-2022-31749. On June 23, Watchguard published an advisory and released patches in Fireware OS 12.8.1, 12.5.10, and 12.1.4.
WatchGuard Firebox and XTM appliances are firewall and VPN solutions ranging in form factor from tabletop, rack mounted, virtualized, and “rugged” ICS designs. The appliances share a common underlying operating system named Fireware OS.
At the time of writing, there are more than 25,000 WatchGuard appliances with their HTTP interface discoverable on Shodan. There are more than 9,000 WatchGuard appliances exposing their SSH interface.
In February 2022, GreyNoise and CISA published details of WatchGuard appliances vulnerable to CVE-2022-26318 being exploited in the wild. Rapid7 discovered CVE-2022-31749 while analyzing the WatchGuard XTM appliance for the writeup of CVE-2022-26318 on AttackerKB.
This issue was discovered by Jake Baines of Rapid7, and it is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.
CVE-2022-31749 is an argument injection into the ftpput
and ftpget
commands. The arguments are injected when the SSH CLI prompts the attacker for a username and password when using the diagnose
or import pac
commands. For example:
WG>diagnose to ftp://test/test
Name: username
Password:
The “Name” and “Password” values are not sanitized before they are combined into the “ftpput” and “ftpget” commands and executed via librmisvc.so
. Execution occurs using execle
, so command injection isn’t possible, but argument injection is. Using this injection, an attacker can upload and download arbitrary files.
File writing turns out to be less useful than an attacker would hope. The problem, from an attacker point of view, is that WatchGuard has locked down much of the file system, and the user can only modify a few directories: /tmp/, /pending/, and /var/run. At the time of writing, we don’t see a way to escalate the file write into code execution, though we wouldn’t rule it out as a possibility.
The low-privileged user file read is interesting because WatchGuard has a built-in low-privileged user named status
. This user is intended to “read-only” access to the system. In fact, historically speaking, the default password for this user was “readonly”. Using CVE-2022-31749 this low-privileged user can exfiltrate the configd-hash.xml
file, which contains user password hashes when Firebox-DB is in use. Example:
<?xml version="1.0"?>
<users>
<version>3</version>
<user name="admin">
<enabled>1</enabled>
<hash>628427e87df42adc7e75d2dd5c14b170</hash>
<domain>Firebox-DB</domain>
<role>Device Administrator</role>
</user>
<user name="status">
<enabled>1</enabled>
<hash>dddbcb37e837fea2d4c321ca8105ec48</hash>
<domain>Firebox-DB</domain>
<role>Device Monitor</role>
</user>
<user name="wg-support">
<enabled>0</enabled>
<hash>dddbcb37e837fea2d4c321ca8105ec48</hash>
<domain>Firebox-DB</domain>
<role>Device Monitor</role>
</user>
</users>
The hashes are just unsalted MD4 hashes. @funoverip wrote about cracking these weak hashes using Hashcat all the way back in 2013.
Rapid7 has published a proof of concept that exfiltrates the configd-hash.xml
file via the diagnose
command. The following video demonstrates its use against WatchGuard XTMv 12.1.3 Update 8.
Apply the WatchGuard Fireware updates. If possible, remove internet access to the appliance’s SSH interface. Out of an abundance of caution, changing passwords after updating is a good idea.
WatchGuard thanks Rapid7 for their quick vulnerability report and willingness to work through a responsible disclosure process to protect our customers. We always appreciate working with external researchers to identify and resolve vulnerabilities in our products and we take all reports seriously. We have issued a resolution for this vulnerability, as well as several internally discovered issues, and advise our customers to upgrade their Firebox and XTM products as quickly as possible. Additionally, we recommend all administrators follow our published best practices for secure remote management access to their Firebox and XTM devices.
March, 2022: Discovered by Jake Baines of Rapid7 **Mar 29, 2022:**Reported to Watchguard via support phone, issue assigned case number 01676704. **Mar 29, 2022:**Watchguard acknowledged follow-up email. **April 20, 2022:**Rapid7 followed up, asking for progress. **April 21, 2022:**WatchGuard acknowledged again they were researching the issue. **May 26, 2022:**Rapid7 checked in on status of the issue. **May 26, 2022:**WatchGuard indicates patches should be released in June, and asks about CVE assignment. **May 26, 2022:**Rapid7 assigns CVE-2022-31749 June 23, 2022: This disclosure
Get the latest stories, expertise, and news about security today.
Subscribe
Additional reading:
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C