WatchGuard does not explicitly disclose the vulnerability that hackers are exploiting

- Advertisement -

Manufacturer of security systems WatchGuard silently patched a critical vulnerability in its line of firewalls and did not report the vulnerability until Wednesday, after the Russian military hackers were exposed. exploited it en masse assemble a giant botnet. After law enforcement alerted the security vendor that a Russian hacking group had infected some of its firewalls, the company simply released a detection tool to customers.

- Advertisement -

US and UK law enforcement agencies warned on February 23 that members sandworm— among the most aggressive and elite hacker groups of the Russian government — were malware infection of WatchGuard firewalls which made firewalls part of a huge botnet. On the same day, WatchGuard released software tool and instructions to detect and block infected devices. Among the instructions was to make sure the devices were running the latest version of the Fireware operating system.

Expose customers to unnecessary risk

In court documents released Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm are “vulnerable to an exploit that allows unauthorized remote access to the control panels of these devices.” Only after the court document was made public did WatchGuard published this FAQwhich first mentions CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of 10 possible.

- Advertisement -

“The WatchGuard Firebox and XTM devices allow a remote attacker with non-privileged credentials to gain access to a system with a privileged management session through public management access,” the description reads. “This vulnerability affects Fireware OS up to 12.7.2_U1, 12.x through 12.1.3_U3, and 12.2.x through 12.5.x through 12.5.7_U3.”

WatchGuard’s FAQ states that CVE-2022-23176 is “fully addressed with security fixes that began rolling out in software updates in May 2021.” The FAQ goes on to say that investigations by WatchGuard and third-party security firm Mandiant “found no evidence that the attacker exploited another vulnerability.”

When WatchGuard released software updates in May 2021, the company made only the most oblique references to the vulnerability.

“These releases also include fixes for internal security issues” company mail stated. “These issues were discovered by our engineers and are not found in the wild. In order not to encourage potential attackers to find and exploit these internal problems, we are not disclosing technical details about these flaws that they contained.

According to a FAQ released Wednesday, FBI agents told WatchGuard in November that about 1 percent of firewalls sold were infected with the virus. Cyclops Blinka new strain of malware developed by Sandworm to replace the botnet FBI disbanded in 2018. Three months after the FBI became aware of the infection, WatchGuard released the detection tool and its accompanying four-step diagnostic and remediation plan for infected devices. The company was designated CVE-2022-23176 a day later on February 24th.

However, even after all these steps, including obtaining a CVE, the company still did not explicitly disclose the critical vulnerability, which was fixed in the May 2021 software updates. Security professionals, many of whom have spent weeks ridding the Internet of vulnerable devices, have criticized WatchGuard for failing to explicitly disclose information.

“As it turns out, the attackers *REALLY* found and exploited the problems,” Will Dormann, a vulnerability analyst at CERT, wrote in a private message. He was referring to WatchGuard’s May explanation that the company is hiding technical details to prevent security concerns from being exploited. “And without a CVE issued, more of their clients were exposed than needed.”

He continued: “WatchGuard should have been assigned a CVE when they released an update that fixes the vulnerability. They also had a second chance to appoint a CVE when they were contacted by the FBI in November. But they waited almost 3 full months after the FBI notification (about 8 months in total) before assigning the CVE. This behavior is harmful and puts their customers at unnecessary risk.”

WatchGuard representatives did not respond to repeated requests for clarification or comment.

This story originally appeared on Ars Technique.

More Great WIRED Stories


Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox