Google's Project Zero uncovers critical flaw in FireEye products

The remote code execution flaws impacted on a range of the cybersecurity firm's products.

Google's Project Zero security team have uncovered security flaws in FireEye products which could lead to remote code execution and the compromise of full computer systems.

Tavis Ormandy from the Google Project Zero vulnerability disclosure team said on Tuesday the flaws were serious enough for FireEye to ask for time to fix the problem, which had the potential to allow remote code execution to take place via a wide range of products.

In a blog post, Ormandy noted that cybersecurity firm FireEye's flagship products are based on network monitoring, and so critical security weaknesses could wreak havoc on enterprise networks.

FireEye products often take the form of passive monitoring devices and so will often have network tap privileges -- in order to keep a corporate network safe, access to email systems, downloads, attachments and so on are required. Throw in a security flaw allowing an attacker to access these items and you have a problem.

Discovered by Tavis Ormandy and Natalie Silvanovich, a remote code execution (RCE) flaw was discovered through working with FireEye. Dubbed "666" -- as the problem happens to be the 666th Project Zero security advisory -- the flaw impacts the NX, FX, AX and EX product series.

The vulnerability exists in the MIP (Malware Input Processor) subsystem module which analyzes Java JAR files -- packages compiled of Java content -- and then attempts to decompile the contents.

Once decompiled, the module checks for known malicious code patterns, but should an attacker send a file to a corporate network which pretends to use string obfuscation, the bug can be leveraged to dupe the decompiler into executing arbitrary shell commands by transferring JAR files across the passive monitoring interfaces.

The critical flaw could be exploited for privilege escalation, potentially leading to network surveillance, rooting, system takeovers and data theft.

"An attacker can send an email to a user or get them to click a link, and completely compromise one of the most privileged machines on the network," Omandy says. "This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms."

FireEye was quick off the mark and provided a patch for the flaw within two days. In a statement (.PDF), the cyberforensics firm said a mitigation process was rapidly deployed via the company's hourly Security Content automatic updater, and a permanent fix was released on Monday.

Customers need to update their systems as soon as possible to stay safe from cyberattacks leveraging the critical bug.

Read on: Top picks