Vulnerability CVE-2017-8055
Published: 2017-04-22   Modified: 2017-04-23

Description:
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier returns different responses for valid and invalid usernames. An attacker could exploit this vulnerability to enumerate valid usernames on an affected Firebox.

See advisories in our WLB2 database:
Topic
Author
Date
High
Watchguard Firebox / XTM XXE Injection
David Fernandez
18.04.2017

Type:

CWE-203

 (Information Exposure Through Discrepancy)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Watchguard -> Fireware 

 References:
http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000KlGSAU
https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt
https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html
Copyright 2024, cxsecurity.com

 

Back to Top