Security appliance lets hackers pwn whole nets with a never-opened email

The Fireeye "threat prevention device" is designed to scan all the emails, attachments, and other files coming in and out of your network, but a bug in the device allowed hackers to embed malware in an email that would take over the device — and your whole network — when the device checked it for viruses.

The vulnerability was discovered by researchers at Google's Project Zero lab, who reported it to Fireeye, who issued a patch.

The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there's a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones.

"Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network," the researchers reported. "This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms."

When a single e-mail gives hackers full access to your network
[Dan Goodin/Ars Technica]