Security Advisory Detail

WatchGuard Firebox Single Sign-On Agent Protocol Authorization Bypass

Advisory ID
WGSA-2024-00014
CVE
CVE-2024-6592
Impact
Critical
Status
Acknowledged
Product Family
Other Software
Published Date
Updated Date
Workaround Available
True
CVSS Score
9.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary

An incorrect authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows an attacker with network access to forge communications to affected components.

In the event an attacker has already gained network access, they could exploit this vulnerability to retrieve authenticated usernames and group memberships from the Single Sign-On Agent or send arbitrary account and group information to the Single Sign-On Agent for their host. This vulnerability cannot be used by an attacker to gain access to user credentials.

WatchGuard is not aware of any exploitation of this vulnerability in the wild.

Affected

This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4.

Workaround

An attacker must have already established network access to exploit this vulnerability. WatchGuard recommends using Windows Firewall rules to restrict TCP port 4116 network access to the Single Sign-On Client to only allow connections from the Authentication Gateway (SSO Agent), and restricting TCP port 4114 network access to the Authentication Gateway to only allow connections from the Firebox.

Windows administrators can use Group Policy objects to add Windows firewall rules to their endpoints.

Credits
Found by RedTeam Pentesting GmbH
Advisory Product List
Product Family
Product Branch
Product List
Other Software
Authentication Gateway
Authentication Gateway
Other Software
SSO Client
SSO Client