Listen to this Post
This critical vulnerability (CVE-2024-5997) resides in the IKEv2 implementation of WatchGuard Fireware OS for both Mobile User and Branch Office VPNs configured with a dynamic gateway peer. During Phase 2 (Quick Mode) negotiations, the firmware improperly handles the memory buffer for security association payloads. A remote, unauthenticated attacker can send a specially crafted IKEv2 packet containing an SA payload with an excessive number of proposal substructures or malformed transform attributes. This triggers an out-of-bounds write condition in a fixed-size heap buffer, corrupting adjacent critical memory structures. Successful exploitation allows the attacker to overwrite function pointers or return addresses, ultimately leading to arbitrary code execution with kernel-level privileges on the affected firewall appliance, granting complete control over the device.
DailyCVE Form:
Platform: WatchGuard Fireware OS
Version: 11.10.2-12.11.5
Vulnerability : Memory Corruption
Severity: Critical
Date:
Prediction: Patch expected November 2024
What Undercode Say:
openssl s_client -connect <target>:4500 ike-scan -A --id=myid <target> --showbackoff
struct ikev2_payload_sa {
uint8_t next_payload;
uint8_t flags;
uint16_t length;
uint8_t proposals_count; // Manipulated to cause OOB write
struct proposal_substructure proposals[];
};
How Exploit:
Attacker sends malicious IKEv2 packet during VPN negotiation to a dynamic peer endpoint, triggering heap corruption and achieving RCE.
Protection from this CVE:
Apply vendor patch. Disable dynamic gateway IKEv2. Use static IPs. Implement network segmentation.
Impact:
Remote Code Execution, Full Firewall Compromise, Network Breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

