14 DAY TRIAL // FireEye has patched its security software to prevent a situation that allowed malware to get whitelisted for a period of up to 24 hours. German firm Blue Frost Security discovered the issue last fall and worked with FireEye to ensure the threat was neutralized.
The vulnerability affected the FireEye Operating System (FEOS), the company's custom OS, installed on its network security equipment.
More precisely, the vulnerability affected the operating system's Virtual Execution Engine (VXE), which is a Windows-based virtual machine that runs inside FEOS and is used to analyze suspicious files that pass through the operating system.
FEOS does this by first copying the file to the VXE virtual machine under the "malware.exe" name, and then renaming it back to its original name using a batch script.
File copying operation fail was the cause of the issue
Moritz Jodeit of Blue Frost Security discovered that this process was not properly sanitized and that an attacker could alter the original file's name by using Windows environment variables inside its path.
These variables would be resolved in the context of the virtual machine, and not the original OS where they were compiled, and would result in the file not being copied to the proper location on the virtual machine.
Since the copied file was not in its proper place, the VXE would not be able to launch it in execution and analyze its behavior. Because of this, FEOS would not detect any suspicious or malicious activity inside the VXE, and move on to whitelist the file's MD5 hash for 24 hours.
Patch was available since October, most FireEye customers took forever to install it
This situation opened an interval in which attackers could send a malicious file with the same MD5 hash to targets protected by FireEye products. Since the malicious file's MD5 hash was identical to the previously analyzed file, FireEye's security software would think the file was benign.
Blue Frost Security informed FireEye of their issue at the middle of September, and a month later, FireEye released patched versions for all affected products. The vulnerability has been made public only now, at FireEye's request, because most of its clients had not yet updated from vulnerable versions.
The following FireEye product lines were affected. In parentheses we listed the FEOS version that fixed the issue: FireEye File Content Security - FX (7.5.1), FireEye Malware Analysis - AX (7.7.0), FireEye Network Security - NX (7.6.1), and FireEye Email Security - EX (7.6.2).