WatchGuard Failed To Explicitly Disclose Critical Flaw Exploited By Russian Hackers

April 7, 2022 TH Author headline,hacker,russia,flaw,cyberwar,password

Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw until Wednesday, following revelations hackers from Russia’s military apparatus exploited it en masse to assemble a giant botnet.

Law enforcement agencies in the US and UK on February 23 warned that members of Sandworm—among the Russian government’s most aggressive and elite hacker groups—were infecting WatchGuard firewalls with malware that made the firewalls part of a vast botnet. On the same day, WatchGuard released a software tool and instructions for identifying and locking down infected devices.

Neither those pages nor a FAQ published that day made any reference to the vulnerability, though the instructions did say uses should ensure their appliances were running the latest version of the company’s Fireware OS. Instead, the company quietly updated the May 2021 release notes to add a reference to CVE-2022-23176. This was the first time the vulnerability was mentioned, but since WatchGuard didn’t explicitly call it out in the FAQ, users were left to revisit the release notes and click through to a second page learning of the critical vulnerability.

Putting customers at unnecessary risk

In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.” It wasn’t until after the court document was public that WatchGuard updated the FAQ to mention CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.

“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the description read. “This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.”

The WatchGuard FAQ said that CVE-2022-23176 had been “fully addressed by security fixes that started rolling out in software updates in May 2021.” The FAQ went on to say that investigations by WatchGuard and outside security firm Mandiant “did not find evidence the threat actor exploited a different vulnerability.”

When WatchGuard released the May 2021 software updates, the company made only the most oblique of references to the vulnerability.

“These releases also include fixes to resolve internally detected security issues,” a company post stated. “These issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained.”

According to Wednesday’s FAQ, FBI agents informed WatchGuard in November that about 1 percent of the firewalls it had sold had been infected by Cyclops Blink, a new strain of malware developed by Sandworm to replace a botnet the FBI dismantled in 2018. Three months after learning of the infections from the FBI, WatchGuard published the detection tool and the accompanying 4-Step Diagnosis and Remediation Plan for infected devices. It also buried reference to the CVE in the release notes.

In the FAQ updated on Wednesday, WatchGuard said that Justice Department officials and court orders “directed WatchGuard to delay disclosure until official authorization was granted.” It’s not clear that the directive prevented WatchGuard from disclosing the CVE until Wednesday, but if it did, WatchGuard violated the order since it buried a reference to the vulnerability in the updated release notes.

Security professionals, many of whom have spent weeks working to rid the Internet of vulnerable devices, blasted WatchGuard for the failure to explicitly disclose.

“As it turns out, threat actors *DID* find and exploit the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. “And without a CVE issued, more of their customers were exposed than needed to be.”

He continued:

WatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also had a second chance to assign a CVE when they were contacted by the FBI in November. But they waited for nearly 3 full months after the FBI notification (about 8 months total) before assigning a CVE. This behavior is harmful, and it put their customers at unnecessary risk.

WatchGuard representatives didn’t respond to repeated requests for clarification or comment until 16 hours after this post went live on Ars. This post has been updated to correct the date the company first made reference to the CVE. It was quietly added to release notes on February 23. The company didn’t explicitly call it out until updating the FAQ on Wednesday.

A WatchGuard spokesman didn’t explain why the company waited until this year to obtain a CVE for such a security flaw with this level of severity.