12.7.2 U1 - what is changed

Hi,

I see this to 12.7.2 update 1:

This release includes several general security enhancements. [FBX-21579, FBX-21596, FBX-21590]
This release includes a security enhancement for Fireware Web UI. [FBX-22493]

It is a bit hard to prioritize, if or how fast we should update, when we cannot see, what is fixed.

Regards
Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rv@kaufmann.dk

    The first item is related to general enhancements to the firebox login process and how those communications work. If you're using a recent version of WSM to access your firewall you and your users will not notice any change.

    The last item relates to accessing the WebUI. If you're accessing the WebUI via a normal web browser, you will not see or notice any change.

    As with most security enhancements, revealing details can potentially allow 3rd parties to use vulnerabilities and changes therein to potentially craft attacks and seek out users that have not upgraded yet.

    -James Carson
    WatchGuard Customer Support

  • James, while I appreciate your answer around details etc., the following points are worthy of note:

    1) Security by obscurity is a deprecated concept
    2) Not disclosing ANY details makes justifying the risk of an upgrade impossible to do. Default stance would therefore be not to upgrade.

    Can you at least share CVE scores (or equivilants) so our InfoSec teams can perform some kind of risk analysis?

    Some high level details should be disclosable without giving attackers too much infomation. If this isn't the case, then the issue is serious enough that you should be flagging it as a critical vulnerability.

    J

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Jason_Bramley I've provided all of the information given to me here. If you need more, I'd suggest a support ticket.

    -James Carson
    WatchGuard Customer Support

  • @Jason_Bramley said:
    James, while I appreciate your answer around details etc., the following points are worthy of note:

    1) Security by obscurity is a deprecated concept
    2) Not disclosing ANY details makes justifying the risk of an upgrade impossible to do. Default stance would therefore be not to upgrade.

    Can you at least share CVE scores (or equivilants) so our InfoSec teams can perform some kind of risk analysis?

    Some high level details should be disclosable without giving attackers too much infomation. If this isn't the case, then the issue is serious enough that you should be flagging it as a critical vulnerability.

    J

    I disagree that "Security by obscurity is a deprecated concept" in the case of many vulnerabilities. That is why many vendors have bounty programs, so that vulnerabilities get found and QUIETLY patched, then POCs get released months later. There have been many attacks that started right after public mentions of the vulnerabilities and they were devastating, despite patches being available.

    Gregg Hill

  • I feel I can agree with Greggmh123

Sign In to comment.