{"id":4042,"date":"2015-12-17T02:56:11","date_gmt":"2015-12-16T18:56:11","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4042"},"modified":"2015-12-17T02:56:24","modified_gmt":"2015-12-16T18:56:24","slug":"critical-remote-root-zero-day-fireeye-appliances","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2015\/12\/critical-remote-root-zero-day-fireeye-appliances\/","title":{"rendered":"Critical Remote Root Zero-Day In FireEye Appliances"},"content":{"rendered":"

So FireEye doesn’t have a particularly good reputation in the security community, it’s generally not handled responsible disclosure well and it’s even taken a security firm (ERNW) to court over a vulnerability disclosure<\/a>.<\/p>\n

And now there’s another critical remote root zero-day in FireEye appliances – which is scary, as these are high end devices protecting large corporations and governments from zero-days and they don’t even harden their own devices properly?<\/p>\n

\"Critical<\/p>\n

FireEye ended up making some defensive post about the whole matter here – Bug Bounties, (Non) Lawsuits and Working with the Research Community<\/a> and it does seems they are at least making an effort. But maybe that’s just because it’s Google this time and not some small security company they can push around.<\/p>\n

Simply just sending an email or getting a user to click on a link was enough to exploit a critical remote code execution vulnerability in FireEye appliances and compromise networks protected by the security products.<\/p>\n

The flaw was identified earlier this month by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. The issue affected FireEye\u2019s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products and it was permanently patched by the vendor within two days with the release of security content version 427.334. Temporary mitigations were rolled out by the company within hours.<\/p>\n

The vulnerability, dubbed \u201c666\u201d because of its ID in the Project Zero issue tracker, plagued a module designed to analyze Java Archive (JAR) files. An attacker simply needed to send a specially crafted JAR file across a network protected by FireEye appliances. If the malicious file pretended to use string obfuscation, it would get executed by the FireEye product, Ormandy said in a blog post.<\/p>\n

An attacker could have exploited the vulnerability by sending an email containing such a JAR file to the targeted organization \u2014 it\u2019s worth noting that the email would not have to be read for the malicious code to get executed \u2014 or by getting a user to click on a link pointing to a crafted JAR file.<\/p><\/blockquote>\n