August 19, 2022

Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw for at least seven months, following revelations hackers from Russia’s military apparatus exploited the flaw en masse to assemble a giant botnet.

WatchGuard fixed the vulnerability in May 2021 as part of a major update to its Fireware OS, and made only the most oblique of references to it at the time.

Security through obscurity strikes again

“These releases also include fixes to resolve internally detected security issues,” a company post stated. “These issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained.”

We now know that one of the “security issues” was CVE-2022-23176, an authentication bypass vulnerability with a severity rating of 8.8 out of a possible 10. It allows a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. For reasons that are unclear, WatchGuard didn’t obtain a CVE at the time of patching.

WatchGuard said it learned from the FBI in November that the vulnerability was a key vector for Cyclops Blink, the name of malware being used by a Russian state hacking group known as Sandworm to spawn a botnet. The company said it didn’t obtain a CVE for the vulnerability until January and wasn’t at liberty to disclose it until February 23 under a schedule set by the FBI that was investigating the matter.

On February 23, the company published a software tool and instructions for identifying and locking down infected devices, a blog post describing Cyclops Blink and a detailed FAQ, but none of them made any reference to the CVE, despite having an all clear from the FBI.

The only place WatchGuard published the CVE on February 23 was in updates it made to the May 2021 release notes. The company didn’t add the CVE to the FAQ until Wednesday after receiving questions about the timing from reporters.

Putting customers at unnecessary risk

Security professionals, many of whom have spent weeks working to rid the Internet of vulnerable devices, blasted WatchGuard for the rationale it gave in May for not explicitly disclosing the flaw as a CVE when it was fixed in software update. Burying the mention of the CVE in February 23 update to the release notes and not flagging the CVE in the FAQ until Wednesday only made it harder for users to assess their risk, they said.

“As it turns out, threat actors *DID* find and exploit the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. “And without a CVE issued, more of their customers were exposed than needed to be.”

He continued:

WatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also had a second chance to assign a CVE when they were contacted by the FBI in November. But they waited for nearly 3 full months after the FBI notification (about 8 months total) before assigning a CVE. This behavior is harmful, and it put their customers at unnecessary risk.

WatchGuard representatives didn’t respond to repeated requests for clarification or comment until 16 hours after this post went live on Ars. This post has been updated to correct the date the company first made reference to the CVE. It was quietly added to release notes on February 23. The company didn’t call it out elsewhere until Wednesday when it finally added it to the FAQ.

A WatchGuard spokesman didn’t explain why the company waited until this year to obtain a CVE for a security flaw with this level of severity.

See also  Critical flaws in GPS tracker enable “disastrous” and “life-threatening” hacks