FireEye Security Devices Provide Attackers with Backdoor into Corporate Networks

Share this…

FireEye security equipment can be compromised, Google finds. Two security researchers working for Google have discovered a simple method of compromising FireEye security products, which, ironically, are installed to prevent a network’s computers from being compromised.

According to Google’s findings, attackers can craft malicious files or fool users into accessing malicious links and exploit an issue in the software of various FireEye network security products.

Two zero-days: RCE and privilege escalation

Using these bugs, attackers can execute code on a FireEye’s device as the highly privileged mip (Malware Input Processor) user, but can also gain admin privileges on the device if needed.

Vulnerable devices are the FireEye NX, FX, AX and EX series of network security equipment. Patches to mitigate these issues have been released by FireEye, who has also committed to providing assistance to companies for which the support contract has expired.

All the devices mentioned above are highly specialized equipment that will only do one thing: sniff Internet traffic and try to detect malware and other types of attacks.

This kind of equipment is usually found installed on large enterprise networks, where it sits between the corporate Intranet and the outgoing/incoming Internet connective router.

Attackers can gain access to sensitive corporate network traffic without being detected

They are connected via a special monitoring port and work by watching Internet traffic on special ports/protocols like HTTP, FTP, SMTP, and so on. Whenever a file transfer is detected, the FireEye device intercepts the file and scans it for malware or other known exploits.

This behavior is what attackers are taking advantage of by sending malicious JAR files either as an email attachment or as a file hosted on a malicious site.

The vulnerability is extremely dangerous for two main reasons. First, the device has access to all of an enterprise’s sensitive traffic, and second, the device also has a secondary Internet connection, through which it receives firmware updates, but which can be used by attackers to create a backdoor and secretly steal information from compromised networks.

“A vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario,” say the Google researchers. “This would mean an attacker would only have to send an email […] the recipient wouldn’t even have to read the email, just receiving it would be enough.”

The two researchers who discovered these issues are Tavis Ormandy and Natalie Silvanovich, part of Google’s Project Zero, an initiative that was set up to research, uncover, and help fix zero-day bugs in modern-day software and hardware products. Ironically, this vulnerability is Project Zero’s 666th security flaw. A quite fitting coincidence.