Critical RCE bug in FireEye’s security appliances exploitable via email

Last week, FireEye has silently pushed out a patch for an extremely easy-to-exploit remote code execution bug affecting its NX, EX, FX and AX Series security appliances in their default configuration.

“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough,” Google researcher Tavis Ormandy explained in a blog post published on Tuesday.

“A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse.”

This would allow the attacker to tamper with network traffic, exfiltrate sensitive enterprise data, more laterally across the network, load a rootkit, and more.

Dubbed “666”, the vulnerability was found in a module that analyzes Java jar files by Ormandy and Natalie Silvanovich, both with Google Project Zero.

Their research was supported by FireEye, and the company has been notified of the flaw as soon as it was found. They pushed out temporary mitigations mere hours later, and a final patch two days later (December 7).

The fix has been delivered via the company’s Security Content update and has been applied automatically where the companies choose to do so. “Customers who perform manual Security Content updates should update immediately,” FireEye warned.

The seriousness of the bug has also spurred FireEye to make a fix available for customers whose support contracts have expired.

Don't miss