Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw for at least seven months, following revelations hackers from Russia’s military apparatus exploited the flaw en masse to assemble a giant botnet.
WatchGuard, formally known as WatchGuard Technologies, Inc is a Seattle, Washington-based network security vendor. Its products are designed to protect computer networks from outside threats such as malware and ransomware.
WatchGuard was founded in 1996 as Seattle Software Labs, Inc. Its first product was a network firewall called the WatchGuard Security Management System, which included the WatchGuard Firebox "firewall in a box" security appliance, along with configuration and administration software.
WatchGuard fixed the vulnerability in May 2021 as part of a major update to its Fireware OS, and made only the most oblique of references to it at the time.
WatchGuard said it learned from the FBI in November that the vulnerability was a key vector for Cyclops Blink, the name of malware being used by a Russian state hacking group known as Sandworm to spawn a botnet. The company said it didn't obtain a CVE for the vulnerability until January and wasn't at liberty to disclose it until February 23 under a schedule set by the FBI that was investigating the matter.
On February 23, the company published a software tool and instructions for identifying and locking down infected devices, a blog post describing Cyclops Blink and a detailed FAQ, but none of them made any reference to the CVE, despite having an all clear from the FBI.
The only place WatchGuard published the CVE on February 23 was in updates it made to the May 2021 release notes. The company didn't add the CVE to the FAQ until Wednesday after receiving questions about the timing from reporters.
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.
Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw (CVE-2022-23176) to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office (SOHO) network devices.
"WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access," the company explains in a security advisory rating the bug with a critical threat level.
The flaw can only be exploited if they are configured to allow unrestricted management access from the Internet. By default, all WatchGuard appliances are configured for restricted management access.
Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these security flaws according to November's binding operational directive (BOD 22-01).
CISA has given them three weeks, until May 2nd, to patch the CVE-2022-23176 flaw added today to its catalog of Known Exploited Vulnerabilities.
Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised.
Putting customers at unnecessary risk
“As it turns out, threat actors *DID* find and exploit the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. “And without a CVE issued, more of their customers were exposed than needed to be.” _more
