Knowledge Base Digest - March 2021

Articles

• Firebox does not power on
• Mobile network providers known to work with the Firebox T45-CW
• Authentication error for MFA or SAML SSO login to WatchGuard Cloud
• Error 1603 or 'patch not available' when you try to update MSXML 4.0 with WatchGuard Patch Management
• Patch Management pending installation list does not show applications installed on an endpoint for a local user
• Users cannot log in to AuthPoint password manager in Safari v18.0.1 on macOS Sequoia

Known Issues

• Users cannot authenticate to Mobile VPN with SSL
• Unable to select a certificate after it is imported by a Firebox in Fully Managed mode
• Cannot export certificate in PCSK12 format from CA Manager
• Issues occur when the Firebox reboots and resets the boot date incorrectly
• AuthPoint MFA is stuck on a blank page when I authenticate to Microsoft applications, such as Teams

Articles

• Forgot Token mode does not work on Mac without an Internet connection
• End of Availability for the AuthPoint Password Manager
• Allow WatchGuard Support to connect to your WatchGuard products
• macOS Sequoia 15.x software compatibility

Known Issues

• Outdated Log4j library is found on PCs that run WatchGuard System Manager (WSM)
• Issues affecting remote actions for mobile devices with WatchGuard Mobile Security app
• Mobile VPN with IKEv2 connections fail on iOS 18

On September 25, 2024, researchers from RedTeam-Pentesting.de published a report that details three vulnerabilities in the Firebox SSO Client & Agent software. The Firebox Authentication Gateway (SSO Agent) versions up to and including 12.10.2 and the Firebox Single Sign-On Client versions up to and including 12.7 are affected. These are the most recent versions of each software component. This issue only affects Firebox customers that use the SSO feature to authenticate local users and devices to the Firebox. Less than 10% of WatchGuard customers use this feature. WatchGuard is not aware of any exploit attempts in the wild.

WatchGuard Engineering is actively working on a resolution for these vulnerabilities. Administrators should review the advisories (CVE-2024-6592/WGSA-2024-00014, CVE-2024-6593/WGSA-2024-00015, CVE-2024-6594/WGSA-2024-00016) on psirt.watchguard.com for current mitigation details, and future remediation instructions. 

These vulnerabilities all require network access to the vulnerable components (the SSO Agent installed on a server locally and/or the SSO Clients installed on local user workstations). WatchGuard customers should follow security best practices that include installing endpoint protection and using secure methods of remote access like VPNs to limit the risk of an attacker compromising a local system.

Summary of reported vulnerabilities:

• CVE-2024-6592/WGSA-2024-00014 is a critical severity authorization bypass vulnerability in protocol that the Firebox SSO Agent and Client use to communicate with each other. An attacker that has first gained access to the same network as the SSO Agent or an SSO Client could exploit the vulnerability to send arbitrary messages to either component. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
• CVE-2024-6593/WGSA-2024-00015 is a critical severity authentication bypass vulnerability in the Firebox SSO Agent’s Telnet management interface. An attacker that has first gained access to the same network as the SSO Agent could exploit the vulnerability to bypass authentication and access management commands on the SSO Agent. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
• CVE-2024-6594/WGSA-2024-00016 is a high severity denial of service (DoS) vulnerability in the Firebox SSO Client. An attacker that has first gained access to the same network as a device with the SSO Client installed can send malformed commands and cause the SSO Client to crash repeatedly, preventing the normal single sign-on functionality from succeeding. This vulnerability cannot be used by an attacker to gain access to user credentials.