CVE-2024-40892
📋 TL;DR
A weak credential vulnerability in Firewalla Box Software allows physically proximate attackers to use the device's license UUID to provision SSH credentials via Bluetooth Low-Energy. Once SSH access is gained, attackers can access the LAN. This affects Firewalla Box devices running software versions before 1.979.
💻 Affected Systems
- Firewalla Box
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Firewalla device leading to network pivoting, data exfiltration, and persistent backdoor access to the entire LAN.
Likely Case
Local network access and potential lateral movement within the LAN, but limited to attackers with physical proximity to the device.
If Mitigated
No impact if device is updated or Bluetooth is disabled, as physical proximity is required for initial exploitation.
🎯 Exploit Status
Exploitation requires physical proximity for Bluetooth access. License UUID can be obtained via Bluetooth sniffing or reading QR code on device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.979
Vendor Advisory: https://help.firewalla.com/hc/en-us/articles/360060011574
Restart Required: Yes
Instructions:
1. Log into Firewalla app. 2. Go to Settings > Advanced > Updates. 3. Check for updates. 4. Install version 1.979 or later. 5. Reboot device after update.
🔧 Temporary Workarounds
Disable Bluetooth
linuxDisable Bluetooth Low-Energy interface to prevent credential provisioning.
firewalla bluetooth off
Physical Security
allRestrict physical access to device and cover QR code on bottom.
🧯 If You Can't Patch
- Disable Bluetooth via Firewalla app or CLI command 'firewalla bluetooth off'
- Implement network segmentation to isolate Firewalla management interface
🔍 How to Verify
Check if Vulnerable:
Check Firewalla software version via app: Settings > Advanced > Updates. If version is below 1.979, device is vulnerable.Check Version:
firewalla versionVerify Fix Applied:
Verify version is 1.979 or higher in Firewalla app. Confirm Bluetooth is disabled if not needed.📡 Detection & Monitoring
Log Indicators:
- Unauthorized SSH login attempts
- Bluetooth pairing requests from unknown devices
- Unexpected SSH sessions from local IPs
Network Indicators:
- SSH connections from unexpected internal IPs to Firewalla management interface
- Bluetooth scanning activity near device location
SIEM Query:
source="firewalla" AND (event="ssh_login" AND result="failed") OR (event="bluetooth_pairing" AND device NOT IN allowed_devices)