WatchGuard’s XTM 11.8 Software Fixes Buffer Overflow & XSS Vulnerabilities

Overall Severity: High


  • These vulnerabilities affect: WatchGuard WSM and Fireware XTM 11.7.4 and earlier
  • How an attacker exploits them: Either by enticing an XTM administrator into clicking a specially crafted link or by visiting the appliance’s web management UI with a malicious cookie
  • Impact: In the worst case, an attacker can execute code on the XTM appliance (see mitigating factors below)
  • What to do: Install WSM and Fireware XTM 11.8 (and limit access to the XTM web management interface)


Last week, we released WSM and Fireware XTM 11.8, which delivers a number of powerful new features to XTM administrators. However, it also fixes two externally reported security vulnerabilities. Though both vulnerabilities have mitigating factors that somewhat limit their severity, you should still patch them quickly.

If you haven’t already installed 11.8 for its great new features, we recommend you install it for these security fixes. We summarize the two vulnerabilities below:

WGagent is one of the processes running on an XTM appliance. Among other things, WGagent is responsible for parsing the web cookies sent to the appliance’s web management interface. It suffers from a buffer overflow vulnerability involving its inability to handle specially crafted cookies containing an overly-long “sessionid.” By creating a maliciously crafted cookie, and then connecting to your XTM appliance’s web management interface (tcp port 8080),  an unauthenticated attacker can exploit this vulnerability to execute code on the appliance. Though the WGagent process runs with low privileges (nobody) and from a chroot  jail, it does have enough privilege to access your appliance’s configuration file and change passwords. So we consider this a significant vulnerability.

That said, one mitigating factor somewhat limits its severity. An attacker can only exploit the flaw if he has access to your XTM appliance’s web management interface. By default, physical XTM appliances only allow web management access to the trusted network. As long as you haven’t specifically changed the WatchGuard Web UI policy to allow external access, Internet-based attackers cannot exploit this flaw against you.

However, this is not the case for XTMv users (the virtual version of our XTM platform). As a virtual appliance, XTMv has no concept of what is internal or external until you attach its virtual interfaces to physical ones, using your hypervisor software. To make its setup easier, XTMv allows access to the web management UI from all interfaces. In other words, this flaw poses a  higher risk to XTMv appliances, if you haven’t restricted the web management policy manually.

Security best practices suggest that you limit access to your security appliance’s management interfaces. If you configure the WatchGuard Web UI policy to limit access to the management interface to only those you trust, this flaw should pose minimal risk. In any case, we still consider it a significant vulnerability, and recommend you upgrade to Fireware XTM 11.8 to fix it.

We’d like to thank Jerome Nokin and Thierry Zoller from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering and responsibly disclosing this flaw, and thank the CERT team for coordinating the disclosure and response.

Severity rating: High

  • Reflective XSS vulnerabilities in WatchGuard Server Software’s WebCenter (CVE-2013-5702)

WebCenter is the web-based logging and reporting UI that ships with the Server Software included with WSM. The WebCenter web application suffers from a few cross-site scripting (XSS) vulnerabilities involving some of its URL parameters. If an attacker can trick your XTM or WebCenter administrator into clicking a specially crafted link, he could exploit these vulnerabilities to execute script in that user’s browser, under the context of the WebCenter application. Among other things, this mean the attacker could do anything in the WebCenter application that your user could do.

However, it would take significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick a WebCenter administrator into clicking a link before the attack can take place. Furthermore, the link does not bypass Webcenter’s authentication. This means that unless the victim is already logged on to WebCenter, she would also have to enter her WebCenter credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8 to fix these XSS flaws quickly.

We’d like to thank Julien Ahrens of RCE Security for bringing this matter to our attention, and disclosing it responsibly.

Severity rating: Medium

Solution Path:

WatchGuard Fireware XTM and WSM 11.8 correct both of these security issues. We recommend you download and install 11.8 to fix these vulnerabilities. You can find more details about 11.8 in our software announcement post.

For older appliances,  such as the e-Series devices, or an XTM 21, 22, and 23 appliances, Fireware XTM 11.6.7 and 11.3.7 also corrects this buffer overflow vulnerability.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

  • Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t exploit this cookie buffer overflow flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access, the less likely an attacker could exploit this flaw.
  • Limit access to WebCenter, and train administrators against clicking unsolicited links. If you like, you can also use your XTM appliance and local host firewall policy to limit access to WebCenter (running on tcp port 4130 on your WatchGuard Server). This will minimize the amount of victims a maliciously crafted link would work against. Furthermore, we recommend you train your administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.


Are any of WatchGuard’s other products affected?

No. These flaws only affect our XTM appliances, and the WebCenter software that ships with WSM Server Software.

What exactly is the vulnerability?

One is a buffer overflow that allows attackers to execute code on your XTM appliance, and another is a cross-site scripting (XSS) vulnerability that could allow an attacker to gain unauthorized access to WebCenter, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Yes. The buffer overflow flaw could potentially give attackers access to your XTM security appliance. Though the WGagent process involved runs with low OS privileges, it does have enough privilege to access your appliance’s configuration file, and to change things like your passwords. However, attackers could only exploit this flaw if they had access to the web management UI, which most administrators block from the Internet. For most cases, this flaw primarily poses an internal risk.

How serious is the vulnerability?

Mitigating circumstances aside, we consider the buffer overflow flaw a high risk vulnerability, and recommend you update to 11.8 as soon as possible. The XSS flaws pose lesser risk.

How was this vulnerability discovered?

These flaws were discovered by Jerome Nokin and Thierry Zoller of Verizon Enterprise Solutions, and by Julien Ahrens of RCE Security, and were both confidentially reported to WatchGuard through a very responsible process. We thank them all for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild. However, shortly after our alert, the researcher who discovered the buffer overflow flaw shared his proof of concept (PoC) exploit code publicly. This code makes it easier for unskilled attackers to try and exploit this flaw. To make sure no one can exploit this issue against you, we highly recommend your upgrade to 11.8, or be sure not to expose your web management interface externally.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.

Add Feedback