WatchGuard Firebox SSO Client and Agent Vulnerabilities

On September 25, 2024, researchers from RedTeam-Pentesting.de published a report that details three vulnerabilities in the Firebox SSO Client & Agent software. The Firebox Authentication Gateway (SSO Agent) versions up to and including 12.10.2 and the Firebox Single Sign-On Client versions up to and including 12.7 are affected. These are the most recent versions of each software component. This issue only affects Firebox customers that use the SSO feature to authenticate local users and devices to the Firebox. Less than 10% of WatchGuard customers use this feature. WatchGuard is not aware of any exploit attempts in the wild.

WatchGuard Engineering is actively working on a resolution for these vulnerabilities. Administrators should review the advisories (CVE-2024-6592/WGSA-2024-00014, CVE-2024-6593/WGSA-2024-00015, CVE-2024-6594/WGSA-2024-00016) on psirt.watchguard.com for current mitigation details, and future remediation instructions. 

These vulnerabilities all require network access to the vulnerable components (the SSO Agent installed on a server locally and/or the SSO Clients installed on local user workstations). WatchGuard customers should follow security best practices that include installing endpoint protection and using secure methods of remote access like VPNs to limit the risk of an attacker compromising a local system.

Summary of reported vulnerabilities:

• CVE-2024-6592/WGSA-2024-00014 is a critical severity authorization bypass vulnerability in protocol that the Firebox SSO Agent and Client use to communicate with each other. An attacker that has first gained access to the same network as the SSO Agent or an SSO Client could exploit the vulnerability to send arbitrary messages to either component. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
• CVE-2024-6593/WGSA-2024-00015 is a critical severity authentication bypass vulnerability in the Firebox SSO Agent’s Telnet management interface. An attacker that has first gained access to the same network as the SSO Agent could exploit the vulnerability to bypass authentication and access management commands on the SSO Agent. This could allow them to extract usernames and groups for authenticated users on the network, or artificially associate an arbitrary user with an IP address. This vulnerability cannot be used by an attacker to gain access to user credentials.
• CVE-2024-6594/WGSA-2024-00016 is a high severity denial of service (DoS) vulnerability in the Firebox SSO Client. An attacker that has first gained access to the same network as a device with the SSO Client installed can send malformed commands and cause the SSO Client to crash repeatedly, preventing the normal single sign-on functionality from succeeding. This vulnerability cannot be used by an attacker to gain access to user credentials.