Researchers at Google’s Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions.
The vulnerability, discovered by Project Zero security researchers Tavis Ormandy and Natalie Silvanovich, could be use by an attacker to gain persistent access and remotely exploit code.
In a blog post, Ormandy explained how the Project Zero team was able to use the passive monitoring interface to exploit the vulnerability, and then use an email phishing scheme. The attacker could root FireEye’s network security device by tricking a victim into clicking on a link contained in an email.
“We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action, Ormandy wrote. “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
FireEye responded with a support alert stating that a patch was released through automated security content updates for all of the affected devices.
FireEye is making the patch available for “out-of-contract customers,” and the firm warned customers who perform manual security content updates to “update immediately.”
The flaw discovered by Project Zero follows an earlier series of vulnerabilities discovered by the German security firm ERNW. FireEye filed an injunction against ERNW in September after learning that the firm was planning to release findings on vulnerabilities that it discovered in FireEye’s operating system.