Security Provider WatchGuard quietly fixed a critical vulnerability in a line of its firewall equipment and did not explicitly disclose the vulnerability until Wednesday, following disclosure by hackers from Russia’s military apparatus. exploit it mass to assemble a giant botnet. After law enforcement agencies alerted the security vendor that a Russian hacking group had infected some of their firewalls, the company simply released a detection tool to customers.
Law enforcement agencies in the US and UK on February 23 warned that members of the Sandworms—Among the most elite and aggressive hacker groups of the Russian government — are Malware infection into WatchGuard firewall that made firewalls part of a vast botnet. On the same day, WatchGuard released a software tools and tutorial to identify and block infected devices. Among the instructions is to make sure the devices are running the latest version of the company’s Fireware Operating System.
Putting customers at unnecessary risk
In court documents that were not sealed Wednesday, an FBI agent wrote that the WatchGuard firewall attacked by Sandworm was “vulnerable to an exploit that allowed remote unauthorized access to management panel of those devices.” It wasn’t until after the court documents were made public that WatchGuard Published this FAQfirst references CVE-2022-23176, a possible 8.8 out of 10 possible security vulnerability.
“WatchGuard Firebox and XTM devices allow remote attackers with unprivileged logins to access systems with a privileged management session through contact management access,” the description reads. . “This vulnerability affects Fireware operating systems prior to 12.7.2_U1, 12.x prior to 12.1.3_U3, and 12.2.x to 12.5.x prior to 12.5.7_U3.”
WatchGuard’s FAQ says CVE-2022-23176 has been “fully addressed with security fixes beginning to roll out in software updates in May 2021.” The FAQ goes on to say that investigations by WatchGuard and outside security firm Mandiant “found no evidence that the threat actor exploited another vulnerability.”
When WatchGuard released software updates in May 2021, the company only made mention of security holes.
“These releases also include bug fixes to address security issues discovered internally,” a company post mentioned. “These problems were found by our engineers and are not found in nature. In the interest of not instructing potential threat actors to find and exploit these internally discovered issues, we do not share technical details about the flaws they contain. “
According to Wednesday’s FAQ, FBI agents informed WatchGuard in November that about 1% of the firewalls they sold were infected by Cyclops Blinka new type of malware developed by Sandworm to replace a botnet The FBI was dismantled in 2018. Three months after learning of the infection from the FBI, WatchGuard published the detection tool and accompanying 4-Step Diagnostic and Treatment Plan for infected devices. The company received the designation CVE-2022-23176 a day later, on February 24.
However, even after all these steps, including obtaining the CVE, the company still did not explicitly disclose the critical vulnerability that was fixed in the May 2021 software update. Experts security, many of whom have spent weeks working to remove vulnerable devices from the Internet, have criticized WatchGuard for not disclosing it clearly.
“As it turns out, *DID* threat actors find and exploit problems,” Will Dormann, a vulnerability analyst at CERT, wrote in a separate message. He was referring to WatchGuard’s explanation from May that the company was withholding technical details to prevent security issues from being exploited. “And if no CVE was issued, more of their customers were exposed than needed.”
He continued: “WatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also got a second chance to designate a CVE when they were contacted by the FBI in November. But they waited nearly 3 full months after the FBI’s announcement (about 8 months in total) before assigning a CVE. This behavior is harmful, and it puts their customers at undue risk.”
WatchGuard representatives did not respond to repeated requests for clarification or comment.
This story originally appeared on Ars Technica.
Stories with WIRED are more amazing
