Critical WatchGuard Vulnerabilities Discovered: CVE-2024-6592 and CVE-2024-6593
Cybersecurity firm RedTeam Pentesting GmbH has disclosed two critical vulnerabilities, CVE-2024-6592 and CVE-2024-6593, in WatchGuard’s Authentication Gateway (also known as Single Sign-On Agent) and Single Sign-On Client software, potentially impacting thousands of organizations.
CVE-2024-6593: Incorrect Authorization in Authentication Gateway
This vulnerability, with a CVSS score of 9.1, allows an attacker with network access to execute restricted management commands on the Authentication Gateway. This could lead to the retrieval of sensitive user information such as usernames and group memberships, or even tampering with the agent’s configuration. However, it is important to note that this flaw cannot be directly used to obtain user credentials.
CVE-2024-6592: Incorrect Authorization in Protocol Communication
The second vulnerability, also rated 9.1 on the CVSS scale, involves incorrect authorization in the communication protocol between the Authentication Gateway and the Single Sign-On Client on both Windows and MacOS. This allows an attacker to forge communications and potentially extract authenticated usernames and group information or even send arbitrary account and group data to the Authentication Gateway.
Exploitation and Mitigation
While there have been no known cases of exploitation in the wild, the technical details and proof-of-concept (PoC) have been published, making it crucial for organizations to act swiftly.
As a workaround, WatchGuard recommends using Windows Firewall rules to restrict access to specific TCP ports used by the affected components. Additionally, administrators can leverage Group Policy Objects to enforce these firewall rules on Windows endpoints.
Urgency of Updates
WatchGuard has addressed these vulnerabilities in the latest versions of its software. Users are strongly urged to update their Authentication Gateway to version 12.10.2 or later, and their Single Sign-On Clients to version 12.7 or later for Windows and 12.5.4 or later for MacOS, as soon as possible.
