Researchers on Google’s Project Zero security team have found a vulnerability in the FireEye kit that could allow an attacker to use a remote code execution and take over computer systems.
The flaw, dubbed “666” due to its designated Project Zero vulnerability number, is a passive monitoring flaw found in FireEye’s NX, EX, FX and AX Series appliances.
The flaw was discovered by Project Zero researcher Tavis Ormandy and fellow Google Project Zero researcher Natalie Silvanovich. Ormandy describes the vulnerability as a “nightmare scenario”.
“In principle, if a user receives a malicious email or visits a malicious website, the FireEye device observes the traffic and alerts the network administrator. FireEye also make appliances specifically intended to monitor file servers and mail exchangers, among others,” says Ormandy. “For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough.”
Apparently, FireEye managed to come up with a patch in only two days, and they are reportedly providing support even to customers whose contracts have expired.
It is incredibly critical that corporations and organizations running on these boxes get patched immediately. According to Ormandy, they are at risk of “exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms. “
For a more complete breakdown of how this specific vulnerability was discovered, how it can be exploited, and how it can be patched, visit the Project Zero blog,
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.