FireEye has issued an emergency security alert - and related patch - to fix a flaw that an attacker could use to gain persistent access and remotely exploit code in any network monitored by a vulnerable FireEye product.
See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach
The security flaw is tied to a module used in FireEye appliances that analyzes Java files, the company says in a Dec. 15 vulnerability alert. FireEye says the problem affects NX, EX, AX and FX devices running security content version 427.334 or before, and that devices set to receive automatic security updates have been patched. The company warned all firms that install manual updates to immediately install the related fix, and it has also offered the updates for free to "out of contract customers."
The flaw is related to how some FireEye products analyze network traffic, including emails, which potentially makes them vulnerable to any malicious code that's designed to target the FireEye product itself, and which might be hidden inside or attached to an email, says security researcher Tavis Ormandy in a blog post. He and fellow Google Project Zero team member Natalie Silvanovich are credited with discovering the flaw and working with FireEye to fix it (see Google's Psychological Patch Warfare).
"For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario," Ormandy says. "This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap - the recipient wouldn't even have to read the email, just receiving it would be enough."
@taviso huge thanks for the notification of your findings today & helping protect our customers we're working on a immediate remediation fix
Ormandy says that the Google researchers had been testing a FireEye NX 7500 appliance, using sample traffic generated in a lab environment, when they discovered the flaw on Dec. 4. They alerted FireEye the same day, and the vendor says that "due to the severity of the issue discovered," it pushed a temporary fix via automatic-update channels on Dec. 5, just six hours after learning of the flaw, and shipped a permanent fix on Dec. 7.
Multiple information security experts, including Dan Kaminsky, chief scientist of anti-malware firm White Ops, have lauded FireEye for apparently sharing one of its devices for testing purposes with the Google security researchers.
Wow, @FireEye provided test equipment to @taviso. That's genuinely awesome.
FireEye declined to comment on how the company has been working with the Google Project Zero team. "We are thankful for the opportunity to support researchers in the testing of our products and will continue to support their efforts and fully support their efforts to improve our products," FireEye spokesman Kyrk Storer tells Information Security Media Group.
Follows ERNW Episode
This episode has led some security experts to question whether FireEye is attempting to repair its reputation, after it filed an injunction against German consultancy ERNW in August to stop one of its researchers from publicly detailing some aspects of FireEye's products in advance of scheduled information security conference presentations. While related presentations went ahead - with required information redacted - the episode led to widespread criticism of FireEye by the information security research community, and some related feelings of ill will apparently persist.
"If FireEye explicitly gave that FireEye box to @taviso then this whole charade was orchestrated to whitewash their reputation," says independent security consultant Stefan Esser via Twitter.
@halvarflake and what is FireEye's excuse for playing nice with GOOG as opposed to suing ERNW?
That refers to Felix Wilhelm, a security researcher for German consultancy ERNW, finding five exploitable flaws in the malware protection system used in FireEye products, which is designed to detect zero-day exploits. He informed the company about the vulnerabilities in April, noting that he planned to publicly detail the flaws 90 days later, as is the standard practice now used by many researchers, including the Google Project Zero team.
But relations between ERNW and FireEye reportedly deteriorated, leading to delays in related information being released. FireEye ultimately released a related security alert Sept. 8, reporting that it had fixed the flaws, but not before it had also obtained an injunction against the researchers in German court.
ERNW founder Enno Rey voiced his disappointment with how FireEye handled the process. "In general we consider it an inappropriate strategy to sue researchers responsibly reporting security vulnerabilities," he said in a Sept. 10 blog post, noting that the company worked with FireEye to reach an agreement about what the ERNW report would - and would not - include, ultimately making a handshake deal at the Black Hat conference in Las Vegas in August.
"Less than 24 hours later we received an extensive cease-and-desist letter stating a number of accusations and demands, mainly in the realm of intellectual property protection," Rey said. He added that using such legal tactics was highly unusual and "sends the wrong signal to the research community."
FireEye's Defense
Facing extensive criticism, FireEye responded with a Sept. 11 blog post attempting to defend the legal escalation. "We had no assurance that ERNW would not publish or disclose orally the contents of the drafts," the company said. "To protect our company and our customers, we sent a warning letter asking them to voluntarily remove the sensitive information only, not the vulnerability information. ERNW refused to sign the warning letter. We asked them repeatedly and when ERNW continued to refuse these requests, the German courts granted an injunction to prevent the release of that sensitive information."
Both companies later reached an agreement - via their attorneys - about what was, and what was not, going to be included in the report. "It is important to note that FireEye did not seek to deny ERNW from disclosing the vulnerabilities themselves," FireEye said. "In fact, FireEye cooperated with ERNW on this matter and ultimately approved their published report on the vulnerabilities."
ERNW subsequently released the research as "Playing With Fire: Attacking the FireEye MPS," noting therein that "changes to parts of this document were modified or removed after joint review with FireEye which might impact the readability/the train of thought to some portions of the document." The research was also presented at the 44CON London information security conference in September.
Recommendation: Clearer Guidelines
Multiple security experts criticized FireEye's handling of the situation, including information security entrepreneur Steve Lord, who's also a co-organizer of 44CON London. "In my personal view, FireEye's statements do not chime with their behavior. They obtained and sat on an injunction for weeks until serving it a few days before the talk," he said in a September post to Reddit. "This is normally considered an attempt to pressure researchers by abusing the injunction legal process. Perhaps internal administrivia got in the way, we don't know."
Lord said that if FireEye wanted to repair the damage to its reputation, it needed to set some clear vulnerability-disclosure guidelines and stick by them. "Personally I think it's too late for FireEye to put things right with ERNW, but they can learn from the lesson," he said. "If they genuinely want to engage the community then they need to make it absolutely clear how they manage vulnerability disclosure."