Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw until Wednesday, following revelations hackers from Russia’s military apparatus exploited it en masse to assemble a giant botnet. After law enforcement agencies warned the security vendor that a Russian hacking group had infected some of its firewalls, the company simply released a detection tool for customers.
Law enforcement agencies in the US and UK on February 23 warned that members of Sandworm—among the Russian government’s most aggressive and elite hacker groups—were infecting WatchGuard firewalls with malware that made the firewalls part of a vast botnet. On the same day, WatchGuard released a software tool and instructions for identifying and locking down infected devices. Among the instructions was to ensure appliances were running the latest version of the company’s Fireware OS.
Putting Customers at Unnecessary Risk
In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.” It wasn’t until after the court document was public that WatchGuard published this FAQ, which for the first time made reference to CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.
“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the description read. “This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.”
The WatchGuard FAQ said that CVE-2022-23176 had been “fully addressed by security fixes that started rolling out in software updates in May 2021.” The FAQ went on to say that investigations by WatchGuard and outside security firm Mandiant “did not find evidence the threat actor exploited a different vulnerability.”
When WatchGuard released the May 2021 software updates, the company made only the most oblique of references to the vulnerability.
“These releases also include fixes to resolve internally detected security issues,” a company post stated. “These issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained.”
According to Wednesday’s FAQ, FBI agents informed WatchGuard in November that about 1 percent of the firewalls it had sold had been infected by Cyclops Blink, a new strain of malware developed by Sandworm to replace a botnet the FBI dismantled in 2018. Three months after learning of the infections from the FBI, WatchGuard published the detection tool and the accompanying 4-Step Diagnosis and Remediation Plan for infected devices. The company obtained the CVE-2022-23176 designation a day later, on February 24.
Even after all of these steps, including obtaining the CVE, however, the company still didn’t explicitly disclose the critical vulnerability that had been fixed in the May 2021 software updates. Security professionals, many of whom have spent weeks working to rid the Internet of vulnerable devices, blasted WatchGuard for the failure to explicitly disclose.
“As it turns out, threat actors *DID* find and exploit the issues,” Will Dormann, a vulnerability analyst at CERT, wrote in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. “And without a CVE issued, more of their customers were exposed than needed to be.”
He continued: “WatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also had a second chance to assign a CVE when they were contacted by the FBI in November. But they waited for nearly 3 full months after the FBI notification (about 8 months total) before assigning a CVE. This behavior is harmful, and it put their customers at unnecessary risk.”
WatchGuard representatives didn’t respond to repeated requests for clarification or comment.
This story originally appeared on Ars Technica.
More Great WIRED Stories