Remote code execution vulnerability in jar analysis Reference: Reference: 2015-824 Short Summary -------------- Tavis Ormandy and Natalie Silvanovich of Google Project Zero discovered a critical vulnerability in Fireeye devices. As a result, an attacker can send an email to a user or alternatively get them to click a link and completely compromise one of the most privileged machines on the network. This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms. Systems affected ----------------- Fireeye NX, EX, AX, FX Impact ------- A vulnerability existed in a module that analyses Java jar files that could allow an attacker to execute code remotely on a FireEye appliance. Given that, remote code execution could be possible. This vulnerability is of high risk. Description ------------ On Friday, December 4, 2015, Tavis Ormandy and Natalie Silvanovich of Google Project Zero while working with on the testing of Fireye products, as part of their vulnerability disclosure program, have discovered a critical vulnerability. As a consequence FireEye was informed of a Remote Code Execution (RCE) vulnerability that impacted the NX, EX, FX and AX Series products. For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface can result in a network compromise. A passive monitoring interface (network tap) is one of the most privileged machines on the network, with access to employee=E2=80=99s email, passwords, downloads, brows= ing history, confidential attachments. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be even used to disseminate self-propagating internet worms. Solutions ---------- On Saturday morning, December 5, 2015, due to the severity of the issue discovered, an automated remediation for this RCE issue was released via Fireeye hourly Security Content update process, mitigating any exposure. A permanent fix was subsequently released via Fireeye Security Content update process on Monday, December 7, 2015. Additional References ----------------------- [1] Fireeye support notice https://www.fireeye.com/conte= nt/dam/fireeye-www/support/pdfs/fireeye-rce-vulnerability.pdf [2] Project Zero Team Blog http://googleprojectzero.blogspot.com.au/2015/12/fireeye-exp= loitation-project-zeros.html CERT-EU (http://cert.europa.eu= ) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383