A logic error in the FCGEd25519.verify_key_pair() method within the newly introduced fcgatewayd daemon (Firebox 12.12) causes the function to incorrectly return False when both an Ed25519 private key and public key are present and valid. below you'll find all the details. Here we go...
The inverted boolean condition means the function always reports the signing key pair as invalid, forcing FireCloudGateway.verify_signing_key_info() to regenerate the key pair on every check. This triggers an unnecessary and repeated session refresh cycle against the WatchGuard FireCloud authentication service, constituting an availability impact (Denial of Service) on the FireCloud gateway connection.
Timeline:
April 13, 2026, 12:39am UTC -- bug sent to vendor with all the details
April 13, 2026, 12:49am UTC -- automated response for 'preliminary review'
April 27, 2026, 1:02pm UTC -- asking vendor for the comment/feedback; no response
May 7, 2026, 8:23am UTC -- asking vendor for the comment/feedback; no response
May 10, 2026, 9:19pm UTC -- vendor changed status for 'pending program review'
May 11, 2026, 9:44am UTC -- asking vendor for the comment/feedback; no response
May 14, 2026, 9:10am UTC -- asking vendor for the comment/feedback; no response
June 9, 2026 -- asking vendor for the comment/feedback; no response
June 11, 2026 -- full disclosure
Because lack of response from the vendor (described here ) below you'll find full report sent to HackerOne.
More - soon!
Stay tuned!
Want to support?
Cheers
Brak komentarzy:
Prześlij komentarz