WatchGuard Fireware OS Argument Injection Vulnerability Allowing Authenticated Arbitrary File Read/Write

An argument injection vulnerability has been identified in WatchGuard Fireware OS versions prior to 12.8.1, 12.1.4, and 12.5.10. This vulnerability allows an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations on WatchGuard Firebox and XTM appliances. The issue arises in the 'diagnose' and 'import pac' commands, where user-supplied arguments are not properly sanitized before being executed, leading to unauthorized file access or modification.

Impact

Exploitation of this vulnerability allows for authenticated arbitrary file read and write operations on affected WatchGuard appliances. A low-privileged user can read sensitive system files, while a highly privileged user can write files to restricted directories.

Reproduction

The vulnerability can be reproduced by an authenticated user with unprivileged credentials using the SSH interface. When the 'diagnose' command is executed, the SSH CLI prompts for a username and password. The injected arguments are not sanitized and are passed to the 'ftpget' command, allowing the user to download arbitrary files. Similarly, the 'import pac' command can be used to upload files to the affected system.

Remediation

Users are advised to upgrade to WatchGuard Fireware OS versions 12.8.1, 12.5.10, or 12.1.4. After updating, it is recommended to change passwords and, if possible, remove internet access to the appliance's SSH interface.