Due to lack of response and breaking all the rules of responsible disclosure by WatchGuard and HackerOne - below you'll find full disclosure for one of the bugs I found few weeks ago in WatchGuard appliance (12.11 and 12.12). Here we go...
We'll start here:
Static binary analysis of three WatchGuard shared libraries (libpkicli.so, libldapcli.so, libldap.so.2) — performed by disassembling the stripped ELF binaries directly with objdump — reveals a provable race condition in rs_crypto_setup_ldap_server (libpkicli.so) that allows two concurrently-processed IKEv1 Aggressive Mode packets to trigger a double-free and Use-After-Free (UAF) on the global LDAP connection handle.
The root cause is the complete absence of synchronisation (no mutex, no atomic operation, no compare-and-swap) around the global ldHandle pointer that is read, conditionally freed, and re-initialised by
rs_crypto_setup_ldap_server. Because iked is a multi-threaded daemon serving UDP/500, two IKE Phase-1 negotiation threads can enter this function simultaneously. Both observe the handle as non-NULL, both call rs_ldap_shutdown on the same pointer, and the second call operates on already-freed memory.
The resulting heap corruption causes pthread_mutex_lock (inside ldap_ld_free) to receive a stale or near-zero pointer, which causes the pthread library to call abort(), sending SIGABRT and terminating iked. This matches exactly the crash evidence captured from the WatchGuard FireboxV appliance (rbp=0x1, fault address 0x9f0).
March 19, 2026, 6:27pm UTC -- bug sent to vendor with all the details
March 19, 2026, 6:32pm UTC -- vendor set status 'pending program review'
March 23, 2026, 5:44pm UTC -- asking vendor for the comment/feedback; no response
April 7, 2026, 9:30am UTC -- asking vendor for the comment/feedback; no response
April 14, 2026, 9:28am UTC -- asking vendor for the comment/feedback; no response
April 21, 2026, 8:08am UTC -- asking vendor for the comment/feedback; no response
May 7, 2026, 8:24am UTC -- asking HackerOne for mediations; no response
May 9, 2026, 4:18am UTC -- asking vendor for the comment/feedback; no response
May 14, 2026, 9:08am UTC -- asking vendor for the comment/feedback; no response
June 9, 2026 -- asking vendor for the comment/feedback; no response
June 11, 2026 -- full disclosure
Below you'll find full report sent previously to the vendor.
More - soon!
Stay tuned!
Cheers
Brak komentarzy:
Prześlij komentarz