FireEye tried to cover up patched vulnerabilities

who-framed-roger-rabbit-christopher-lloyd-judge-doomThere was a row at the London security conference 44CON as a US security company FireEye attempted to kill off public disclosure of a major series of vulnerabilities in its suite.

The patched flaws included the default use of the ‘root’ account on a significant number of the Apache servers providing services to FireEye’s clients.

An attacker able to compromise the server would face no further permissions barriers in obtaining any data and starting or manipulating any connections or file/database operations of which the server is capable.

On 13 August, FireEye got an injunction in a German District Court, to prevent the security researcher who found the vulnerabilities from discussing it in a keynote speech at the conference.

However it was not served until the 2 September which meant that he could not contest the gagging order in time.

Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and worked with the company to fix it. However, FireEye decided that no disclosure of the vulnerabilities should be allowed to take place. Presumably because it was worried that its high profile customers might be a little worried. Security software is supposed to stop hacks not enable them.

When questioned about the injunction by the Stack  FireEye said that all it wanted was for the researchers not to reveal the companies IP address.

“No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now.

“Our customers are protected. This was not about stopping them from issuing a report neither the vulnerabilities, it was about protecting intellectual property that they didn’t have a legal right to publish,” a spokesFireEye said.