WatchGuard Fireware OS, Out-of-bounds Write, CVE-2024-5997 (Critical)

Listen to this Post

This critical vulnerability (CVE-2024-5997) resides in the IKEv2 implementation of WatchGuard Fireware OS for both Mobile User and Branch Office VPNs configured with a dynamic gateway peer. During Phase 2 (Quick Mode) negotiations, the firmware improperly handles the memory buffer for security association payloads. A remote, unauthenticated attacker can send a specially crafted IKEv2 packet containing an SA payload with an excessive number of proposal substructures or malformed transform attributes. This triggers an out-of-bounds write condition in a fixed-size heap buffer, corrupting adjacent critical memory structures. Successful exploitation allows the attacker to overwrite function pointers or return addresses, ultimately leading to arbitrary code execution with kernel-level privileges on the affected firewall appliance, granting complete control over the device.

DailyCVE Form:

Platform: WatchGuard Fireware OS
Version: 11.10.2-12.11.5
Vulnerability : Memory Corruption
Severity: Critical
Date:

Prediction: Patch expected November 2024

What Undercode Say:

openssl s_client -connect <target>:4500
ike-scan -A --id=myid <target> --showbackoff
struct ikev2_payload_sa {
uint8_t next_payload;
uint8_t flags;
uint16_t length;
uint8_t proposals_count; // Manipulated to cause OOB write
struct proposal_substructure proposals[];
};

How Exploit:

Attacker sends malicious IKEv2 packet during VPN negotiation to a dynamic peer endpoint, triggering heap corruption and achieving RCE.

Protection from this CVE:

Apply vendor patch. Disable dynamic gateway IKEv2. Use static IPs. Implement network segmentation.

Impact:

Remote Code Execution, Full Firewall Compromise, Network Breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top