FireEye patches critical vulnerability in security devices

By on
FireEye patches critical vulnerability in security devices

Could be exploited through emailed attachments.

Security vendor FireEye's network security devices have been found to be vulnerable to a serious flaw that allows attackers full remote access into a target machine.

The security vendor has issued urgent patches for its NX, FX and AX devices, and is imploring customers to patch their installations as soon as possible.

Tavis Ormandy and Natalie Silvanovich of Google's Project Zero discovered FireEye appliances decompiled Java class files that contain low-level byte code. 

The bytecode in classes compressed into Java Archives (JARs) could be used to run arbitrary code thanks to the unsafe decompilation FireEye devices performed on the files in order to check they were safe.

This means that by sending a specially crafted email attachment or making it downloadable via the web, attackers could simply make use of the passive monitoring interface on FireEye devices and gain access to "a persistent network tap".

No user interaction is required to trigger the vulnerability. 

Tricking the FireEye appliance used for testing into running potentially malicious code wasn't difficult.

"... by sending a JAR across the network, we can get FireEye to execute it simply by pretending to use string obfuscation," the researchers said.

Project Zero used a FireEye NX 7500 appliance the security vendor claims can "detect and block malicious files, communications and exploits to improve web and network security".

The researchers found a further vulnerability that allows for privilege escalation in the context of the Malware Input Processor on FireEye devices. This can be abused to escalate to root or superuser privileges with full access to the system.

FireEye said it had requested additional time to issue a patch for the privilege escalation attack.

The security vendor was quick to respond to the issue and deployed mitigation measures to customers "within hours of our report", Google said, and completely fixed the vulnerability in two days. 

Devices from FireEye that have a security content release of 427.334 or higher are safe from the vulnerability.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?