In this paper, we present several now-patched vulnerabilities uncovered by a group of researchers in a FireEye NX device running the webMPS operating system in version 7.5.1.
The vulnerabilities presented here could allow an attacker to compromise virtual machine-based malware detection systems such as a FireEye device by triggering the analysis of a crafted exploit. Such an analysis can be triggered by sending an email to an arbitrary corporate address or by embedding the exploit code in a document (to-be) downloaded via HTTP.
All discussed vulnerabilities were responsibly disclosed and have been patched by FireEye. Please see the respective note released on Sep 081 for the official response from FireEye.
The remainder of the paper is organized as follows. In Section 2, we introduce the FireEye Malware Protection System (MPS) and feature set. Section 3 describes how a vulnerability (requiring prior authentication) in the management web interface can be used to gain access to the MPS operating system. In the following sections vulnerabilities in the Virtual Execution Engine (VXE) and the Malware Input Processor (MIP) are discussed in greater detail. Finally possible mitigation techniques are laid out.
It should be noted that changes to parts of this document were modified or removed after joint review with FireEye which might impact the readability/the train of thought to some portions of the document.