FireEye denies that it 'tried to cover up vulnerabilities'

Security firm reportedly put a gagging order on security researcher, but claims that it was merely protecting its IP

Security firm FireEye reportedly attempted to stop any public disclosure of an important series of vulnerabilities in its suite.

The patched flaws included the default use of the root account on a number of Apache servers that were providing services to FireEye's clients.

Using the root account, an attacker would be able to compromise the server, obtaining any data, starting or manipulating any connections and carrying out file or database operations without facing any permissions barriers. This is of the highest severity for a security suite.

Felix Wilhelm, a security researcher for ERNW GmBH, found the vulnerability five months ago, and made FireEye aware of the issue. He worked with the firm to patch the vulnerabilities successfully, but the security firm allegedly decided that no disclosure of the vulnerabilities should be allowed to take place.

An injunction was awarded to the firm in a German District Court to prevent Wilhelm from discussing the vulnerabilities at a keynote speech at London security conference 44CON. Wilhelm presented his findings to 44CON yesterday, but some information concerning FireEye's technology was redacted from the published slide deck to comply with the court ruling.

FireEye denies that it wanted to prevent Wilhem discussing the vulnerabilities, but said that it was concerned about protecting its intellectual property.

In a statement sent to Computing, it said:

"At the end of June 2015, FireEye learned that ERNW intended to issue a report discussing the vulnerabilities they claimed to have discovered. When FireEye received the report, we found that it also contained details exposing FireEye intellectual property.

"Since FireEye has been in touch this summer with ERNW working on fixing the vulnerabilities, we repeatedly asked ERNW to reconsider exposing our intellectual property, pointing out that this was trade secret, inappropriate and put our customers at risk. ERNW refused, despite having no legal right under German law to expose our trade secret information," the firm said.

"It is important to note that FireEye did not seek to deny ERNW from disclosing the vulnerabilities themselves. In fact, FireEye cooperated with ERNW on this matter and ultimately approved their published report on the vulnerabilities," it added.

Earlier this week, another security researcher, Kristian Erik Hermansen, disclosed details of zero-day vulnerabilities in FireEye's security appliance, including proof-of-concept code. Hermansen's information is reportedly for sale. The researcher claimed that he had known about the flaw for 18 months.

"FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a_security_vendor :) Why would you trust these people to have this device on your network," he wrote on Exploit Database on disclosure of the flaws.

He continued: "Just one of many handfuls of FireEye/Mandiant zero-day. Been sitting on this for more than 18 months with no fix from those security 'experts' at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process."