Even as it was under attack from a Russian hacker outfit, the security provider kept a critical weakness in its firewall appliances hidden
WATCHGUARD, A SECURITY VENDOR, silently patched a serious weakness in a series of firewall devices and didn’t publicly disclose the flaw until Wednesday, after it was revealed that hackers from Russia’s military apparatus used it to build a massive botnet. Following warnings from law enforcement authorities that a Russian hacking gang had infiltrated some of its firewalls, the security vendor merely published a detection tool for clients.
On February 23, law enforcement authorities in the United States and the United Kingdom reported that members of Sandworm, one of Russia’s most aggressive and elite hacking organisations, were infecting WatchGuard firewalls with malware that turned them into part of a massive botnet. WatchGuard issued a software tool and instructions for detecting and locking down compromised devices on the same day. One of the requirements was that the appliances run the most recent version of the company’s Fireware OS.
Putting Customers in Danger Unnecessarily
The WatchGuard firewalls hacked by Sandworm were “susceptible to an exploit that allows unlawful remote access to the management panels of those devices,” according to court documents unsealed on Wednesday. WatchGuard didn’t publish this FAQ until after the court document was made public, and it was the first time it mentioned CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.
The description stated, “A remote attacker with unprivileged credentials can access the system with a privileged management session via exposed management access on WatchGuard Firebox and XTM appliances.” “Fireware OS before 12.7.2 U1, 12.x before 12.1.3 U3, and 12.2.x through 12.5.x before 12.5.7 U3 are all affected by this issue.”
CVE-2022-23176 was “completely addressed” by security fixes that began rolling out in software updates in May 2021, according to the WatchGuard FAQ. In addition, WatchGuard and outside security firm Mandiant investigations “could not identify evidence the threat actor used a separate vulnerability,” according to the FAQ.
Only the most oblique allusions to the issue were made by WatchGuard when it released the May 2021 software patches.
According to a business announcement, “These versions also include solutions to mitigate internally detected security problems.” “Our engineers discovered these flaws, which were not discovered in the wild.” We aren’t disclosing technical specifics about these problems that they had in order to avoid encouraging possible threat actors toward locating and exploiting these internally found concerns.”
According to Wednesday’s FAQ, FBI agents alerted WatchGuard in November that Cyclops Blink, a new strain of malware developed by Sandworm to replace a botnet the FBI dismantled in 2018, had compromised around 1% of the firewalls it had sold. The FBI informed us of the viruses three months after we first learned about them,The detection tool, as well as a 4-Step Diagnosis and Remediation Plan for affected devices, were released by WatchGuard. On February 24, the firm was given the CVE-2022-23176 designation.
Despite taking all of these procedures, including collecting the CVE, the corporation failed to publicly report the critical vulnerability corrected in the May 2021 software updates. Security experts lambasted WatchGuard for failing to expressly disclose, despite the fact that many of them had spent weeks attempting to cleanse the Internet of susceptible devices.
In a private message, Will Dormann, a vulnerability analyst at CERT, stated, “As it turns out, threat actors DID uncover and exploit the problems.” He was alluding to WatchGuard’s May statement that the business was suppressing technical specifics in order to avoid security flaws from being exploited. “Without a CVE, more of their customers were exposed than was necessary.”
“When WatchGuard delivered an update that corrected the vulnerability, they should have assigned a CVE,” he continued. When the FBI contacted them in November, they got a second chance to assign a CVE. However, they did not give a CVE until nearly three months after the FBI notification (a total of eight months). This behaviour is dangerous, and it puts their clients in danger.”
Representatives from WatchGuard did not reply to many requests for explanation or comment.