On September 6th, researcher Kristian Erik Hermansen publically disclosed a zero-day vulnerability in FireEye appliances. This vulnerability impacts customers running HX 2.1.x and DMZ 2.1.x versions of the FireEye HX endpoint security platform, and appears to be concentrated in a PHP script on the appliance itself. If exploited, this vulnerability could lead to unauthorized remote root file system access.
The Linux operating system used by the FireEye servers contains a number of system files with sensitive information. According to Hermansen’s disclosure, triggering the vulnerability allows the attacker to obtain a copy of the /etc/passwd file and gain access to other system files. Additionally, a successful attempt to exploit directory traversal, which occurs due to an input validation error in a web server that does not properly sanitize the URI for directory traversal patterns, allows unauthenticated remote attackers to access arbitrary files on the vulnerable FireEye server.
How You Can Protect Yourself
While they are currently working on a fix for the HX 2.1.x series, FireEye recommends users immediately upgrade to version 2.6.x to address the vulnerability. However, customers using the Check Point IPS Software Blade already have two IPS protections available to them to block exploitation of this zero-day vulnerability in FireEye appliances. First, the Linux System Files Information Disclosure blocks unauthorized access to /etc/passwd file and other sensitive files. The second protection, Web Servers Malicious URL Directory Traversal, blocks attempts to exploit directory traversal, preventing potential disclosure of additional information normally restricted to administrators. In both cases, HTTPS inspection activation is required because FireEye appliances utilize HTTPS. As Hermansen claims to have discovered additional vulnerabilities, Check Point will remain vigilant in following the disclosure of potential additional vulnerabilities and will provide dedicated protections as needed.