Security vendor WatchGuard has quietly fixed a critical vulnerability in a number of its firewall devices, only explicitly disclosing the flaw on Wednesday after it was revealed that hackers from Russia’s military establishment have been exploiting it en masse to build a massive botnet.
Law enforcement agencies in the US and UK warned on February 23 that members of Sandworm — one of the Russian government’s most aggressive and elite hacking groups — were infecting WatchGuard firewalls with malware that made the firewalls part of a massive botnet. On the same day, WatchGuard released a
software tool
and
instructions
to identify and block infected devices. Instructions included ensuring devices were running the latest version of the company’s Fireware operating system.
Exposing customers to unnecessary risk
In court documents unsealed Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of these devices.” Only after the court document was released did WatchGuard
published this FAQ
which first referenced CVE-2022-23176, a vulnerability with a severity of 8.8 out of 10.
“WatchGuard Firebox and XTM appliances allow a remote attacker with non-privileged credentials to access the system with a privileged management session through exposed management access,” the description reads. “This vulnerability affects Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3 and 12.2.x to 12.5.x before 12.5.7_U3.”
WatchGuard’s FAQ states that CVE-2022-23176 was “completely addressed by security fixes introduced in software updates in May 2021.” The FAQ goes on to say that investigations by WatchGuard and third-party security firm Mandiant “found no evidence that the attacker exploited any other vulnerability.”
When WatchGuard released the May 2021 software updates, the company made only the most indirect references to the vulnerability.
“These releases also contain fixes to address internally identified security issues,” a company mail specified. “These issues were found by our engineers and have not been actively found in the wild. In order not to trick potential threat actors into finding and exploiting these internally discovered issues, we do not share technical details about these bugs they contained.”
According to Wednesday’s FAQ, FBI agents informed WatchGuard in November that about 1 percent of firewalls sold were infected with Cyclops Blink, a new malware strain developed by Sandworm to replace a botnet the FBI dismantled in 2018 . Three months after learning of the infections from the FBI, WatchGuard released the detection tool and accompanying 4-step diagnosis and remediation plan for infected devices. A day later, on February 24, the company received the designation CVE-2022-23176.
However, even after all these steps, including obtaining the CVE, the company still has not explicitly disclosed the critical vulnerability fixed in the May 2021 software updates. Security researchers, many of whom have worked for weeks to rid the Internet of vulnerable devices, have criticized WatchGuard for failing to explicitly disclose this.
“As it turns out, threat actors *DID* found and exploited the issues,” said Will Dormann, a vulnerability analyst at CERT, in a private message. He was referring to WatchGuard’s May statement that the company is withholding technical details to prevent the vulnerabilities from being exploited. “And without a CVE issued, more of their customers were unprotected than they needed to be.”
He continued:
WatchGuard should have assigned a CVE when they released an update that fixes the vulnerability. They also had a second chance to assign a CVE when contacted by the FBI in November. But they waited almost 3 full months after the FBI notification (about 8 months total) before assigning a CVE. This behavior is harmful and puts your customers at unnecessary risk.
WatchGuard officials did not respond to repeated requests for clarification or comment.
This article was previously published on Source link