When you're a Fortune 500 company that's a favorite target of sophisticated hackers, it often makes sense to install security appliances at the outer edges of your network to stop attacks before they get far.
Now, researchers say they have uncovered a vulnerability in such a product from security firm FireEye that can give attackers full network access.
The vulnerability, which is on by default in the NX, EX, AX, FX series of FireEye products, was FireEye last week, after researchers from Google's Project Zero privately reported it. It made it possible for attackers to penetrate a network by sending one of its members a single malicious e-mail, even if it's never opened. It's not uncommon for outsiders to find such critical flaws in a security product. Still, the proof-of-concept exploit underscores that such game-over threats often extend to some of a network's most critical equipment. As Google employee Tavis Ormandy explained in a blog post published Tuesday:
The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there's a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones.
"Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network," the researchers reported. "This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms." In a statement, a FireEye spokesman wrote:
FireEye users should make sure their device is running security content release 427.334 or higher. The larger point is that highly privileged devices—and in some cases even normal antivirus software running on PCs—that are supposed to provide the last line of defense can also operate as the single point of failure that undoes most or all of an organization's other defenses.
If Google researchers can figure this out, so too can hackers working for criminal enterprises and governmental agencies. The answer isn't necessarily to avoid such products, but it does mean people should recognize the risks and make informed decisions about whether the products ultimately make users more or less vulnerable.