Two Vulnerabilities Affect FireEye EX 3500

phishing campaign
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Overview of CVE-2021-28970 and CVE-2021-28969

This report is about two vulnerabilities affecting FireEye EX 3500. Successful exploitation of this vulnerability may allow the attacker to view, add, modify, or delete information in the back-end database. If your company uses this FireEye EX 3500 e-mail security appliance product, it is highly recommended that vendor supplied patches are applied as soon as possible to mitigate the risk of exploitation of this vulnerability.

Tactics, Techniques, and Procedures

The vulnerabilities are identified as CVE-2021-28970 and CVE-2021-28969. To successfully exploit these vulnerabilities, a remote authenticated attacker could send specially-crafted SQL statements to the email search feature using the job_id parameter or to the email search feature script using the sort_by parameter, which may give the attacker access to information in the back-end database.

The CVE-2021-28970 vulnerability occurs when an attacker logs on to the WebGUI of the central management as a remote authorized user and searches for processed e-mails. The authenticated user conducts the SQL injection attack via the job_id parameter to the email search feature.

The CVE-2021-28969 vulnerability allows remote authenticated users to conduct SQL injection attacks through the sort_by parameter to the email search feature. Due to missing sanitization of user-controlled input, the web application is vulnerable to SQL injection, allowing to extract data from the back-end database.

Business Unit Impact

  • An attacker may be able to view, add, modify, or delete information in the back-end database.
  • Data manipulation may affect the integrity of company information.

Our Recommendations

  • Upgrade to the latest version of FireEye EMPS (9.0.3 or later), available from the FireEye website.

Sources

Supporting Documentation

MITRE Mapping(s)

  • https://attack.mitre.org/techniques/T1565/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates