Security vendor WatchGuard quietly patched a critical vulnerability in a line of its firewall devices and only made the flaw explicit on Wednesday, after revelations that hackers of the Russian military device were massively exploiting it to put together a massive botnet.
Law enforcement agencies in the US and UK warned on February 23 that members of Sandworm – one of the Russian government’s most aggressive and elite hacker groups – were infecting WatchGuard firewalls with malware, making the firewalls part of a massive botnet. On the same day, WatchGuard released a software tool and instructions for identifying and locking infected devices. One of the instructions was to ensure that devices were running the latest version of the company’s Fireware operating system.
Endangering customers unnecessarily
In court documents released Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that would allow unauthorized remote access to those devices’ control panels.” It was only after the court document was made public that WatchGuard published this FAQ, which first referenced CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.
“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged admin session through exposed admin access,” the description reads. “This vulnerability affects Fireware OS prior to 12.7.2_U1, 12.x prior to 12.1.3_U3, and 12.2.x to 12.5.x prior to 12.5.7_U3.”
The WatchGuard FAQ said that CVE-2022-23176 was “fully addressed by security fixes that were rolled out in software updates in May 2021”. The FAQ went on to say that investigations by WatchGuard and third-party security firm Mandiant have found “no evidence that the threat actor exploited another vulnerability.”
When WatchGuard released the May 2021 software updates, the company only made the most oblique references to the vulnerability.
“These releases also include fixes to resolve internally detected vulnerabilities,” said a company post. “These issues were found by our engineers and not actively found in the wild. In order not to guide potential threat actors in finding and exploiting these internally discovered issues, we are not sharing technical details about these vulnerabilities they contain.”
According to Wednesday’s FAQ, FBI agents informed WatchGuard in November that about 1 percent of the firewalls it sold were infected by Cyclops Blink, a new strain of malware developed by Sandworm to replace a botnet the FBI dismantled in 2018. . Three months after the FBI’s discovery of the infections, WatchGuard has released the detection tool and its associated 4-step diagnosis and recovery plan for infected devices. The company was designated CVE-2022-23176 a day later, on February 24.
However, even after taking all these steps, including obtaining the CVE, the company still did not explicitly disclose the critical vulnerability that was fixed in the May 2021 software updates. Security professionals, many of whom spent weeks working to protect the internet from vulnerable devices, WatchGuard criticized for not making it explicit.
“It turns out that threat actors *DID* are finding and exploiting the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He referred to the WatchGuard statement in May that the company withheld technical details to prevent the vulnerabilities from being exploited. “And without a CVE issued, more of their customers were exposed than necessary.”
He continued:
WatchGuard should have assigned a CVE when they released an update that addresses the vulnerability. They were also given a second chance at being awarded a CVE when they were approached by the FBI in November. But they waited almost 3 full months after the FBI report (about 8 months in total) before granting a CVE. This behavior is harmful and puts their customers at risk unnecessarily.
WatchGuard representatives did not respond to repeated requests for clarification or comment.