Email Updates
Sign up to get the latest product news, updates, and support alerts from WatchGuard.
SubscribeRelated Posts
WatchGuard Firebox SSO Client and Agent Vulnerabilities
WatchGuard Firebox SSO Client and Agent Vulnerabilities
On September 25, 2024, researchers from RedTeam-Pentesting.de published a report that details three vulnerabilities in the Firebox SSO Client & Agent software. The Firebox Authentication Gateway (SSO Agent) versions up to and including 12.10.2 and the Firebox Single Sign-On Client versions up to and including 12.7 are affected. These are the most recent versions of each software component. This issue only affects Firebox customers that use the SSO feature to authenticate local users and devices to the Firebox. Less than 10% of WatchGuard customers use this feature. WatchGuard is not aware of any exploit attempts in the wild.
WatchGuard Engineering is actively working on a resolution for these vulnerabilities. Administrators should review the advisories (CVE-2024-6592/WGSA-2024-00014, CVE-2024-6593/WGSA-2024-00015, CVE-2024-6594/WGSA-2024-00016) on psirt.watchguard.com for current mitigation details, and future remediation instructions.
These vulnerabilities all require network access to the vulnerable components (the SSO Agent installed on a server locally and/or the SSO Clients installed on local user workstations). WatchGuard customers should follow security best practices that include installing endpoint protection and using secure methods of remote access like VPNs to limit the risk of an attacker compromising a local system.
Summary of reported vulnerabilities:
- CVE-2024-6592/WGSA-2024-00014 is a critical severity authorization bypass vulnerability in protocol that the Firebox SSO Agent and Client use to communicate with each other. An attacker that has first gained access to the same network as the SSO Agent or an SSO Client could exploit the vulnerability to send arbitrary messages to either component. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
- CVE-2024-6593/WGSA-2024-00015 is a critical severity authentication bypass vulnerability in the Firebox SSO Agent’s Telnet management interface. An attacker that has first gained access to the same network as the SSO Agent could exploit the vulnerability to bypass authentication and access management commands on the SSO Agent. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
- CVE-2024-6594/WGSA-2024-00016 is a high severity denial of service (DoS) vulnerability in the Firebox SSO Client. An attacker that has first gained access to the same network as a device with the SSO Client installed can send malformed commands and cause the SSO Client to crash repeatedly, preventing the normal single sign-on functionality from succeeding. This vulnerability cannot be used by an attacker to gain access to user credentials.
Knowledge Base Digest - August 2024
Knowledge Base Digest - August 2024
Articles
- Support for Firebox SSO with Azure AD User accounts and Azure joined Computers
- Interface module slot appears to be misaligned in M290, M390, M590, and M690 devices
Known Issues
- After upgrade to Mobile VPN with SSL v12.10.4, authentication to a Firebox from Windows fails
- Operators can no longer revert undeployed Firebox template changes in WatchGuard Cloud
- AuthPoint agent for macOS MFA page goes away after 25 seconds and leaves a black screen
- Forgot token mode does not end for the Logon app on macOS computers
- When I unlock my Mac computer, I am prompted for MFA but I can still see and use computer files
- When I log in to a Mac with the AuthPoint Logon app, I get a black screen and go back to the login page after entering a password
- When I unlock my Mac with Touch ID, the AuthPoint MFA window appears over the computer UI
- Backup master is inactive on T20/T40/T55 FireClusters
- ThreatSync Block IP action fails with reason "Error: Could not block the IP"
- Cannot import web server certificate in Dimension v2.2.2
Knowledge Base Digest -July 2024
Knowledge Base Digest -July 2024
Articles
- Restoring a backup image to a Firebox causes a timeout error
- How do I continue service for a device that includes 3 months free as part of an MSSP activation bundle
- I cannot log in to my computer after I install the AuthPoint agent for macOS
- WatchGuard MDR Program Guide
Known Issues
- Performance issues in 10 Gigabit Ethernet (10GbE) networks with Endpoint Security macOS protection version 3.04 or later
- Process ID Does Not Exist error message when you perform the Delete File action on a macOS device in ThreatSync
- Endpoint Security Decoy Files create temporary files and folders after backup sessions
- Endpoint Security performance issues or error message when accessing files in multi-user environments
- Enable ThreatSync toggle does not stay enabled on the Configure Device Settings page for access points
- Passive FTP connection fails through FTP-Proxy
- Endpoint Security protection mode shows as "Not Set" within the History of blocked programs list
- Interface eth0 fails to initialize on Dimension v2.2.x after reboot
- Files selected from the incidents list on the Endpoints page in ThreatSync do not show in Delete/Restore dialog box
- Mobile VPN with SSL v12.10.4 cannot connect to a Firebox when you use macOS Sonoma 12.x
- Allowed (Audit Mode) label does not show in list on Incidents and Endpoints pages in ThreatSync
- The file name does not show in the Delete/Restore dialog box when you try to delete a file from a macOS device in ThreatSync
- Cannot capture unilateral packets with arguments on wired VLAN interfaces on AP230W and AP430CR
- After upgrade to Fireware v12.10.4, authentications fail