Watchguard XCS Multiple Arbitrary Remote Commands Execution Vulnerabilities


Description   (#Several vulnerabilities have been identified in Watchguard XCS:#- CVE-2015-5452: arbitrary remote SQL commands execution via "sid cookie" of "borderpost/imp/compose.php3" page#- CVE-2015-5453: arbitrary shell commands via "id" parameter of "ADMIN/mailqueue.spl" page.##Proofs of concept are available for these vulnerabilities.#Updated, 30/06/2015:#A vulnerability has been added:#- privilege escalation via a cron task due to non-sanitized input parameters.##Exploitation code are available for these vulnerabilities under metasploit framework.)
     
Vulnerable Products   Vulnerable OS:
BorderWare Security Platform/XCS (WatchGuard) - 10.0, 9.2Vulnerable Software:
     
Solution   Watchguard has released build 150522 for XCS which fixes these vulnerabilities.
     
CVE   CVE-2015-5453
CVE-2015-5452
     
References   - Watchguard : XCS
http://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf
- Rapid7 : Watchguard XCS Remote Command Execution
https://www.rapid7.com/db/modules/exploit/freebsd/http/watchguard_cmd_exec
- Rapid7 : Watchguard XCS FixCorruptMail Local Privilege Escalation
https://www.rapid7.com/db/modules/exploit/freebsd/local/watchguard_fix_corrupt_mail
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
SQL injection Prevention - Cookie : suspicious DROP statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious CREATE statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious OPENQUERY statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious DECLARE statement in Cookie
3.5.0
SQL injection Prevention - Cookie : possible version probing in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious INSERT statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious OPENROWSET statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious EXEC statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious UNION statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious HAVING statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious SELECT statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious CAST statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious UPDATE statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious OR statement in Cookie
3.5.0
SQL injection Prevention - Cookie : suspicious DROP statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious EXEC statement in Cookie
4.1.2
SQL injection Prevention - Cookie : possible version probing in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious CAST statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious SELECT statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious CREATE statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious HAVING statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious OPENQUERY statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious OR statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious DECLARE statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious INSERT statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious UPDATE statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious OPENROWSET statement in Cookie
4.1.2
SQL injection Prevention - Cookie : suspicious UNION statement in Cookie
4.1.2
Watchguard XCS remote code execution vulnerability
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-06-29 

 Target Type 
Server 

 Possible exploit 
Remote