When receiving email compromises your network
A recent disclosure by FireEye, a network security company, shows just how vulnerable our networks can get even if we do have security hardware installed.
According to the support notice dated 15 December 2015, Google’s Project Zero discovered a Remote Code Execution (RCE) vulnerability in the NX, EX, AX and FX series of FireEye devices on 5 December 2015.
The vulnerability made it possible for hackers to compromise a network by sending just one malicious e-mail, even if it was never opened or read.
To give a brief overview, FireEye devices are installed on an internal network and watch all traffic passively, monitoring common protocols and data transfers. They also monitor any email communications that flow in or out of a company.
According to Google’s Tavid Ormandy,
“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap - the recipient wouldn’t even have to read the email, just receiving it would be enough.
Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network," the researchers reported. "This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
FireEye has been quick to release a fix for this, which is commendable. Affected users should make sure their device is running security content release 427.334 or higher.
Unfortunately, this throws light on the delicate balance our security infrastructure runs on. If Google security researchers can find the vulnerability, then so can malicious hackers. While the fix was issued very quickly once discovered, we wonder how long this vulnerability could have been exploited for before discovery.
As always, we recommend a holistic approach to security. Installing security hardware should be the first step, not the complete solution!