Two Vulnerabilities affect FireEye EX 3500

Overview of CVE-2021-28970 and CVE-2021-28969

This report is about two vulnerabilities affecting FireEye EX 3500. Successful exploitation of this vulnerability may allow the attacker to view, add, modify, or delete information in the back-end database. If your company uses this FireEye EX 3500 e-mail security appliance product, it is highly recommended that vendor-supplied patches are applied as soon as possible to mitigate the risk of exploitation of this vulnerability.

Tactics, Techniques, and Procedures

The vulnerabilities are identified as CVE-2021-28970 and CVE-2021-28969. To successfully exploit these vulnerabilities, a remote authenticated attacker could send specially-crafted SQL statements to the email search feature using the job_id parameter or to the email search feature script using the sort_by parameter, which may give the attacker access to information in the back-end database.

The CVE-2021-28970 vulnerability occurs when an attacker logs on to the WebGUI of the central management as a remote authorized user and searches for processed e-mails. The authenticated user conducts the SQL injection attack via the job_id parameter to the email search feature.

The CVE-2021-28969 vulnerability allows remote authenticated users to conduct SQL injection attacks through the sort_by parameter to the email search feature. Due to missing sanitization of user-controlled input, the web application is vulnerable to SQL injection, allowing to extract of data from the back-end database.

Business Unit Impact

• An attacker may be able to view, add, modify, or delete information in the back-end database.
• Data manipulation may affect the integrity of company information.

Our Recommendations

• Upgrade to the latest version of FireEye EMPS (9.0.3 or later), available from the FireEye website.

Sources

• https://exchange.xforce.ibmcloud.com/vulnerabilities/199273
• https://exchange.xforce.ibmcloud.com/vulnerabilities/199274

Supporting Documentation

• https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-006.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28970
• https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-005.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28969

MITRE Mapping(s)

• https://attack.mitre.org/techniques/T1565/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.