Knowledge Base Digest - September 2024

Articles

• Mobile VPN with SSL Client for Windows file size increased in v12.11

Known Issues

• Trj/RansomDecoy.A false positive detections with WatchGuard Endpoint Security
• WatchGuard Endpoint Security network infrastructure causes Windows BSOD crashes in driver NNSHTTP when browsing pages
• Mobile VPN user list shows only 19 Active Directory users in WatchGuard Cloud
• WatchGuard SSLVPN and Allow SSLVPN-Users policies reset after you make Mobile VPN with SSL changes in Web UI
• Code injection protection in WatchGuard Endpoint Security causes issues for some applications
• IP addresses specified in Walled Garden settings are not accessible
• ThreatSync+ NDR Linux Collector disables automatic Ubuntu security updates
• Changes to 1-to-1 NAT do not take effect when BOVPN is configured
• WatchGuard Endpoint Security network access enforcement not supported for macOS 15.x Sequoia endpoints
• Mobile VPN with IKEv2 clients disconnect after 24 minutes on Mac devices

Articles

• Firebox does not power on
• Mobile network providers known to work with the Firebox T45-CW
• Authentication error for MFA or SAML SSO login to WatchGuard Cloud
• Error 1603 or 'patch not available' when you try to update MSXML 4.0 with WatchGuard Patch Management
• Patch Management pending installation list does not show applications installed on an endpoint for a local user
• Users cannot log in to AuthPoint password manager in Safari v18.0.1 on macOS Sequoia

Known Issues

• Users cannot authenticate to Mobile VPN with SSL
• Unable to select a certificate after it is imported by a Firebox in Fully Managed mode
• Cannot export certificate in PCSK12 format from CA Manager
• Issues occur when the Firebox reboots and resets the boot date incorrectly
• AuthPoint MFA is stuck on a blank page when I authenticate to Microsoft applications, such as Teams

On September 25, 2024, researchers from RedTeam-Pentesting.de published a report that details three vulnerabilities in the Firebox SSO Client & Agent software. The Firebox Authentication Gateway (SSO Agent) versions up to and including 12.10.2 and the Firebox Single Sign-On Client versions up to and including 12.7 are affected. These are the most recent versions of each software component. This issue only affects Firebox customers that use the SSO feature to authenticate local users and devices to the Firebox. Less than 10% of WatchGuard customers use this feature. WatchGuard is not aware of any exploit attempts in the wild.

WatchGuard Engineering is actively working on a resolution for these vulnerabilities. Administrators should review the advisories (CVE-2024-6592/WGSA-2024-00014, CVE-2024-6593/WGSA-2024-00015, CVE-2024-6594/WGSA-2024-00016) on psirt.watchguard.com for current mitigation details, and future remediation instructions. 

These vulnerabilities all require network access to the vulnerable components (the SSO Agent installed on a server locally and/or the SSO Clients installed on local user workstations). WatchGuard customers should follow security best practices that include installing endpoint protection and using secure methods of remote access like VPNs to limit the risk of an attacker compromising a local system.

Summary of reported vulnerabilities:

• CVE-2024-6592/WGSA-2024-00014 is a critical severity authorization bypass vulnerability in protocol that the Firebox SSO Agent and Client use to communicate with each other. An attacker that has first gained access to the same network as the SSO Agent or an SSO Client could exploit the vulnerability to send arbitrary messages to either component. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
• CVE-2024-6593/WGSA-2024-00015 is a critical severity authentication bypass vulnerability in the Firebox SSO Agent’s Telnet management interface. An attacker that has first gained access to the same network as the SSO Agent could exploit the vulnerability to bypass authentication and access management commands on the SSO Agent. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
• CVE-2024-6594/WGSA-2024-00016 is a high severity denial of service (DoS) vulnerability in the Firebox SSO Client. An attacker that has first gained access to the same network as a device with the SSO Client installed can send malformed commands and cause the SSO Client to crash repeatedly, preventing the normal single sign-on functionality from succeeding. This vulnerability cannot be used by an attacker to gain access to user credentials.