WatchGuard SSO Client Denial-of-Service

Attackers can issue malformed commands to WatchGuard SSO clients in order to crash the respective service.

Details

• Product: WatchGuard Active Directory Single Sign-On (SSO)
• Affected Versions: Single Sign-On Client <= 12.7
• Fixed Versions: None
• Vulnerability Type: Denial-of-Service
• Security Risk: medium
• Vendor URL: https://www.watchguard.com/
• Vendor Status: notified
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-008
• Advisory Status: published
• CVE: CVE-2024-6594
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6594

Introduction

When users log on to the computers in your network, they must give a user name and password. If you use Active Directory authentication on your Firebox to restrict outgoing network traffic to specified users or groups, your users must also complete an additional step. They must manually log in again to authenticate to the Firebox and get access to network resources or the Internet. To simplify the log in process for your users, you can use the WatchGuard Single Sign-On (SSO) solution. With SSO, your users on local networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox.

(from vendor’s homepage)

More Details

Since the proprietary protocol used for communication between WatchGuard SSO agents and clients lacks authentication, attackers can implement the protocol in order to issue commands to WatchGuard SSO clients (see advisory rt-sa-2024-006). Such an implementation is available at https://github.com/RedTeamPentesting/watchguard-sso-client.

It was discovered that the client service crashes when attackers send malformed commands. In the following listing, the command logon is issued, without providing a username as an argument.

$ ./wgclient.py command --host '<host>' 'logon'
Connected to SSO client, connected at: Wed Jun 05 15:12:36 2024
list client completed
[...]
ConnectionResetError: [Errno 104] Connection reset by peer

This behavior can be exploited in order to revoke network privileges for other hosts by crashing their clients. Similarly, attackers that have compromised a workstation running the WatchGuard SSO client can crash their own client service in order to free the port such that the attacks described in advisory rt-sa-2024-006 can be performed. Advisory rt-sa-2024-006 also describes how attackers can obtain logs from clients which also includes crash memory dumps if the service was previously crashed using this vulnerability.

Proof of Concept

Issue a malformed command to a WatchGuard SSO client using the protocol implementation available at https://github.com/RedTeamPentesting/watchguard-sso-client:

$ ./wgclient.py command --host '<host>' 'logon'

Workaround

At the time of publication, no workaround is known other than refraining from using the WatchGuard SSO feature. While only the proprietary WatchGuard SSO client service is vulnerable to the denial-of-service vulnerability, the alternative SMB-based data gathering method is currently also vulnerable for relay attacks, rendering it unsuitable for a workaround.

Security Risk

Attackers can disrupt network access for other users or exploit this vulnerability in order to gain access to crash memory dumps. Consequently, this vulnerability poses a medium risk.

Timeline

• 2024-06-05 Vulnerability identified
• 2024-06-10 Customer approved disclosure to vendor
• 2024-06-20 Vendor notified
• 2024-06-27 Vendor confirmed they received the reports
• 2024-07-04 Asked vendor to confirm the vulnerabilities and provide a timeline to resolve the issues
• 2024-07-09 Vendor confirmed vulnerabilities, said a timeline will be provided at a later date
• 2024-08-08 Asked for update regarding timeline, reminded vendor about 90-day responsible disclosure time frame
• 2024-09-03 Asked for update
• 2024-09-10 Asked for update again with hint to our planned release after 90 days
• 2024-09-16 Vendor announced they will publish advisories on the following day, no timeline for a fix was provided
• 2024-09-17 After customer conferred with WatchGuard, publication was deferred for one week in order to implement mitigations
• 2024-09-18 Confirmed new release date with WatchGuard
• 2024-09-25 Advisory published

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/