A controversy has erupted today at London security conference 44CON as details emerge of U.S. security company FireEye’s attempts to stifle any public disclosure of a major series of vulnerabilities in its suite – all of which have now been patched.
The vulnerabilities are said to have included the default use of the ‘root’ account on a significant number of the Apache servers providing services to FireEye’s clients.
Apache is designed to be started by a ‘root’ user – who has absolute power over all the functionality of the software – and quickly passed to normal operation via a user account with far fewer privileges. An attacker able to compromise the server would face no further permissions barriers in obtaining any data and starting or manipulating any connections or file/database operations of which the server is capable. For a security suite, that’s about as bad as it gets.
On the 13th August an ex-parte injunction was awarded to the California-based company in a German District Court, to prevent the security researcher who found the vulnerabilities from discussing it in a keynote speech at today’s conference. However it was not served until the 2nd of September. Conversation at the conference today has reflected criticism of the company for what reads as an attempt to allow no time for an effective legal challenge to the injunction.
Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and reportedly worked with the company to help them resolve the issues successfully. But FireEye eventually decided that no disclosure of the vulnerabilities should be allowed to take place.
FireEye, founded in 2004, is a leading network security company focused on protecting businesses from malware, zero-day exploits and other cyber attacks. The U.S.-based firm has over 2,500 customers globally, including Fortune 500 companies and many federal departments. FireEye was tightly involved in cyber investigations following the high-profile attacks on Sony Pictures and Anthem.
A spokeswoman for FireEye contacted The Stack with the following statement:
Have just seen your story around FireEye and I wanted to correct some points
We tried to conceal from the researchers to publish our IP. No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now. Our Customers are protected.
This was not about stopping them from issuing a report neither the vulnerabilities, it was about protecting intellectual property that they didn’t have a legal right to publish.
The views expressed on this blog are Richard’s personal views and do not reflect or represent the views of his employer, Red Hat.