[Infowarrior] - FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers

Richard Forno rforno at infowarrior.org
Thu Sep 10 18:19:51 CDT 2015 

Major web security company sought to conceal that it ran compromised servers

Richard Morrell Thu 10 Sep 2015 4.21pm

https://thestack.com/security/2015/09/10/major-web-security-company-sought-to-conceal-that-it-ran-compromised-servers/

A controversy has erupted today at London security conference 44CON as details emerge of U.S. security company FireEye’s attempts to stifle any public disclosure of a major series of vulnerabilities in its suite – all of which have now been patched.

The vulnerabilities are said to have included the default use of the ‘root’ account on a significant number of the Apache servers providing services to FireEye’s clients.

Apache is designed to be started by a ‘root’ user – who has absolute power over all the functionality of the software – and quickly passed to normal operation via a user account with far fewer privileges. An attacker able to compromise the server would face no further permissions barriers in obtaining any data and starting or manipulating any connections or file/database operations of which the server is capable. For a security suite, that’s about as bad as it gets.

On the 13th August an ex-parte injunction was awarded to the California-based company in a German District Court, to prevent the security researcher who found the vulnerabilities from discussing it in a keynote speech at today’s conference. However it was not served until the 2nd of September. Conversation at the conference today has reflected criticism of the company for what reads as an attempt to allow no time for an effective legal challenge to the injunction.

Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and reportedly worked with the company to help them resolve the issues successfully. But FireEye eventually decided that no disclosure of the vulnerabilities should be allowed to take place.

FireEye, founded in 2004, is a leading network security company focused on protecting businesses from malware, zero-day exploits and other cyber attacks. The U.S.-based firm has over 2,500 customers globally, including Fortune 500 companies and many federal departments. FireEye was tightly involved in cyber investigations following the high-profile attacks on Sony Pictures and Anthem.

UPDATE:

A spokeswoman for FireEye contacted The Stack with the following statement:

Have just seen your story around FireEye and I wanted to correct some points

We tried to conceal from the researchers to publish our IP.  No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now. Our Customers are protected.

This was not about stopping them from issuing a report neither the vulnerabilities, it was about protecting intellectual property that they didn’t have a legal right to publish.


--
It's better to burn out than fade away.

More information about the Infowarrior mailing list