FireEye investigating recent vulnerability disclosures

serverskulls header
Credit: Jen Anderson

Researcher says they were fired for disclosing vulnerabilities

Update:

FireEye has released a set of FireEye Operating System (FEOS) updates for their NX, EX, AX, FX, and CM product lines. The patches address a number of vulnerabilities, which if exploited could allow an attacker to conduct command injection attacks, launch Man-in-the-Middle attacks, and more.

Their security bulletin doesn't mention Bourbon by name. Yet, the final set of fixes match those reported by him previously (see original story below), only they're attributed to an "independent external vulnerability assessment firm" hired to evaluate the security of FireEye's products.

Based on everything that's been made public, the odds are high that Sogeti is the contracted assessment firm, and it would explain the nature of their relationship with FireEye, as well as the reason for the NDA.

Salted Hash reached out to FireEye for confirmation, who said they had "no further comment."

But that's not the end of the story.

Sources close to the investigation into what happened to Bourbon, who wished to remain anonymous, have shared additional information with Salted Hash.

In May, FireEye was told about Bourbon's findings. This goes against their statements earlier in the day that the company had no prior notification.

After being told about Bourbon's personal project, where he performed a black box audit of the latest version of FireEye's MAS, a System Engineering Manager for FireEye started a dialogue with him about his findings. Fast forward to July, and you come to Bourbon's disclosure on Exploit-DB.

Previously, FireEye told Salted Hash that they didn't request the disclosure's removal, nor did they ask Sogeti to take any action against Bourbon.

However, Salted Hash has since seen evidence suggesting the exact opposite.

FireEye's System Engineering Manager, on July 7, asked Bourbon to initiate the process of having Google's cache of the disclosure expunged, while confirming that the actual post on Exploit-DB was in fact removed.

In addition, someone further up the chain from Bourbon was told of the conversation, a step that was said to be a requirement given that Sogeti could be impacted by fallout given their relationship with FireEye.

So yes, FireEye did contact Sogeti, but if there was pressure to have action taken against Bourbon, it seems as if it was passive and not a direct request.

The nature of the NDA between FireEye and Sogeti is important, because such contracts can cover each employee that works for a company, regardless of whether they've signed something.

Bourbon maintains that he was not under an NDA, and that his research was performed outside of work. But it would appear that while he was working on his own, he came in conflict with Sogeti's NDA with FireEye.

However, it isn't clear how Bourbon gained access to FireEye's MAS. The presumption is that he got access to it through Sogeti, but just to be sure, Salted Hash has asked him to shed some light on that line of thought.

If Bourbon was in fact fired over his actions, it might not be completely unjustifiable. If it turns out he was under NDA because of his employer, then he violated it.

Otherwise, it might be a case of a company overreacting to an otherwise minor incident. As of Tuesday evening, requests for comment to Sogeti have gone unanswered.

In an email with Salted Hash, Bourbon said he is meeting with the company later this month, presumably to discuss the incident.

[...]

Original Article:

FireEye is investigating the disclosure of multiple vulnerabilities in their Malware Analysis System (MAS), by a researcher who claims they were fired over the release.

The disclosure (mirrored online), was originally posted to Exploit Database, but it was later removed. According to Exploit-DB, the removal was at the researcher's request.

 At the time the disclosure was made, the researcher (Jean-Marie Bourbon) worked for Sogeti, an IT consultancy that operates globally.

Sources familiar with the incident have said that Sogeti was under an NDA (non-disclosure agreement) with FireEye, and the disclosure of product vulnerabilities violated it. As such, Bourbon was reprimanded by his employer and told to remove the post.

By Tuesday afternoon, there were no official statements on the matter from Sogeti, other than messages to Bourbon on Twitter to contact human resources and his manager.

However, Bourbon has a different view of things, claiming that pressure from FireEye led to his employment being terminated.

"...sorry guys...due to a fireeye  request & I've lost my job now .. THX @FireEye..."

-@kmkz_security (Jean-Marie Bourbon)

Speaking to Salted Hash, a spokesperson for FireEye said that they did not ask for the him to be terminated, nor did they request that the disclosure on Exploit-DB be removed. However, they confirmed that the company is investigating the reported vulnerabilities.

For now, they're checking to see if the vulnerabilities disclosed are in fact real, and if proven to be credible, they'll take steps to patch the problems as soon as possible. The spokesperson said they couldn't comment further on the process as it was ongoing.

Salted Hash has made attempts to contact Sogeti for their side of the story, but requests for additional information remained unanswered by the time this post was published. Should they respond, this entry will be updated accordingly.

For his part, Bourbon claims he was not under an NDA and that his research took place outside of work.

According to the disclosure, FireEye's MAS is vulnerable to three reflected Cross-Site Script (XSS) vulnerabilities; a single Cross-Site Request Forgery (CSRF) vulnerability; a NoSQL Injection vulnerability; a PostgreSQL Injection vulnerability; file and path disclosure vulnerabilities; and information disclosure vulnerabilities.

Online, those following the incident are skeptical of FireEye's claims.

The general feel is that FireEye has attacked a researcher for doing what they do best. A common theme among researchers and experts commenting on the disclosure fallout is that this isn't the first time such an incident has happened.

FireEye is expected to issue a formal statement later today, this post will be updated as the situation unfolds.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies