Sec-1 Advisory: Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11
Discovery Date : 27/04/2016
Release Date : 11/07/2016
Application : WatchGuard Fireware version 11.11 and earlier
Platform : Windows
CVE : CVE-2016-6154
Discovered by : Ryan Ward
Vendor Status : Resolved in v11.11.1 Fireware Update available from: https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/index.html#Fireware/en-US/EN_Release_Notes_Fireware.html
Website : https://www.sec-1.com/blog
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6154
http://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/Fireware_Release-Notes_v11_11_1.pdf

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS) and Open Redirection

Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).

Open redirection vulnerabilities occur when an application incorporates user controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users.

Exploit

A single parameter on the SSL-VPN authentication applet of WatchGuard firewalls running Fireware < v11.11.1 were found to be vulnerable to both Reflected Cross-Site Scripting (XSS) and Open Redirection. This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user (virtual defacement)

Example Payload/POC
The vulnerability can be reproduced by browsing to “success.html?redirect=javascript:alert(document.domain)” on the SSL-VPN port (4100 by default) on any affected WatchGuard.

https://Firewall_IP:4100/success.html?redirect=javascript:alert(“Sec-1”)

watchg

The same parameter was also found to be vulnerable to an open redirect. https://Firewall_IP:4100/success.html?redirect=http://www.sec-1.com would redirect the users browser to the Sec-1 homepage.

Vendor Response


As of Fireware 11.11.1 this vulnerability has been reported as being fixed by WatchGuard. Sec-1 would like to thank WatchGuard for their prompt and professional response.

This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.