Watch Out for Unpatched WatchGuard SSO Bug CVE-2024-6592

Why It Matters: All versions of the WatchGuard Single Sign-On Client and WatchGuard Authentication Gateway use a protocol that is unencrypted and doe not require authentication for communications between the SSO agent and network devices.

The Big Picture: The vulnerability (CVE-2024-6592) was discovered in June and it can allow an attacker to retrieve authenticated usernames and group memberships and bypass authentication and send arbitrary account data to the SSO agent. 

Key Details: 

• WatchGuard SSO Client versions through 12.10.2 and Authentication Gateway through 12.7 are vulnerable

• An attacker needs network access to exploit this vulnerability

• There are no fixed versions available at this time

• No known exploitation 

Vendor Response: WatchGuard has identified a fix and is planning to release it by the end of October.

The Bottom Line: This bug is a serious security risk for organizations that have deployed the WatchGuard SSO Client and Authentication Gateway and the only known workaround is to not use the SSO feature, since both WatchGuard’s proprietary protocol and the SMB-based protocol that’s used as a fallback are vulnerable.

What to Do: WatchGuard PSIRT recommends using Windows Firewall rules to restrict TCP port 4116 network access to the Single Sign-On Client to only allow conn ections from the Authentication Gateway (SSO Agent), and restricting TCP port 4114 network access to the Authentication Gateway to only allow connections from the Firebox.

Further Reading:

• RedTeam Pentesting GmbH detailed blog post on the flaw and exploitation

• WatchGuard PSIRT advisory