WatchGuard Firebox Single Sign-On Agent Protocol Authorization Bypass
An incorrect authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows an attacker with network access to forge communications to affected components.
In the event an attacker has already gained network access, they could exploit this vulnerability to retrieve authenticated usernames and group memberships from the Single Sign-On Agent or send arbitrary account and group information to the Single Sign-On Agent for their host. This vulnerability cannot be used by an attacker to gain access to user credentials.
WatchGuard is not aware of any exploitation of this vulnerability in the wild.
This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4.
An attacker must have already established network access to exploit this vulnerability. WatchGuard recommends using Windows Firewall rules to restrict TCP port 4116 network access to the Single Sign-On Client to only allow connections from the Authentication Gateway (SSO Agent), and restricting TCP port 4114 network access to the Authentication Gateway to only allow connections from the Firebox.
Windows administrators can use Group Policy objects to add Windows firewall rules to their endpoints.