Ars Technica reports the vulnerability was unearthed by members of Google’s Project Zero security research team. Google privately reported it to FireEye so it could fix the issue before the details were made public.
FireEye’s products are essentially special computer hardware dedicated to running antivirus software. They are positioned on the outside edge of the network and offer live protection against incoming threats, before traffic reaches any important servers or desktop machines.
FireEye continually monitors all the data flowing in and out of the network, passively monitoring it for threats. For example, when it detects a file is being downloaded or an email received, it can scan the contents to confirm it’s safe before any embedded malware wreaks havoc behind the barrier.
This comes at a price though. The nature of the device means FireEye products are arguably the most privileged on any network as they get to see every piece of data that gets transmitted. This facilitates exploits like the one disclosed today.
The bug can render FireEye’s protection completely useless as it gives a hacker full access to the network behind the device. Google’s researchers reverse-engineered FireEye’s NX, EX, AX and FX series of products and found something concerning. It is possible to trick the device into executing code embedded in the data that passes through it.
A hacker could send an email to an address on the network and embed commands in it to bypass FireEye’s protection. When the device scans the contents of the message, it would be forced to run the malicious code within, exposing the devices it should protect. Because this monitoring is constant and passive, the exploit would occur as soon as the email was delivered. It would never need to be read or even opened.
Google’s Project Zero team said: “An attacker can send an email to a user or get them to click a link, and completely compromise one of the most privileged machines on the network. This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
The vulnerability was uncovered by Tavis Ormandy and Natalie Silvanovich. Google thanked FireEye for responding positively to its findings and being “very cooperative”. The company has now released a software update, version 427.334, that fixes the issue. The patch was issued within two days of Google notifying FireEye of the vulnerability.
