#VU8533 XXE attack in Fireware OS
Published: September 20, 2017
Vulnerability identifier: #VU8533
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Fireware OS
Fireware OS
Software vendor:
WatchGuard
WatchGuard
Description
The vulnerability allows a remote attacker to conduct XXE attack.
The weakness exists due to input validation flaw when handling XML message containing an empty member tag. A remote attacker can send a specially crafted login request to the XML-RPC interface, trigger the target wgagent service to crash and cause all user interface sessions to be logged out.
Successful exploitation of the vulnerability results in denial of service.
The weakness exists due to input validation flaw when handling XML message containing an empty member tag. A remote attacker can send a specially crafted login request to the XML-RPC interface, trigger the target wgagent service to crash and cause all user interface sessions to be logged out.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Update to version 12.0.