from the heads-in-the-sand dept
Firewalls. You know, boring old IT stuff. So why are we talking about them at Techdirt? Well, one thing we regularly talk about is how companies tend to respond to exploits and breaches that are uncovered and, far too often, how horrifically bad they are in those responses. Often times, breaches and exploits end up being far more severe than originally reported, and there are some companies that actually try to go after those reporting on breaches and exploits legally.
And then there’s WatchGuard, which was informed in February of 2021 by the FBI that an exploit in one of its firewall lines was being used by Russian hackers to build a botnet, yet the company only patched the exploit out in May of 2021. Oh, and the company didn’t bother to alert its customers of the specifcs in any of this until court documents were unsealed in the past few days revealing the entire issue.
In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.” It wasn’t until after the court document was public that WatchGuard published this FAQ, which for the first time made reference to CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.
The WatchGuard FAQ said that CVE-2022-23176 had been “fully addressed by security fixes that started rolling out in software updates in May 2021.” The FAQ went on to say that investigations by WatchGuard and outside security firm Mandiant “did not find evidence the threat actor exploited a different vulnerability.”
Note that there was an initial response from WatchGuard almost immediately after the advisement from US/UK LEOs, with a tool to let customers identify if they were at risk and instructions for mitigation. Which is all well and good, but customers weren’t given any real specifics as to what the exploit was or how it might be used. That’s the sort of thing IT administrators dig into. The company also basically suggested it was not providing those details to keep the exploit from being more widely used.
When WatchGuard released the May 2021 software updates, the company made only the most oblique of references to the vulnerability.
“These releases also include fixes to resolve internally detected security issues,” a company post stated. “These issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained.”
Unfortunately, there doesn’t seem to be much that is true in that statement. Law enforcement uncovered the security issue, not some internal WatchGuard team. The exploit was found in the wild, with the FBI assessing that roughly 1% of the firewalls the company sold were compromised with malware called Cyclops Blink, another specific that doesn’t appear to have been communicated to clients.
“As it turns out, threat actors *DID* find and exploit the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. “And without a CVE issued, more of their customers were exposed than needed to be.
WatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also had a second chance to assign a CVE when they were contacted by the FBI in November. But they waited for nearly 3 full months after the FBI notification (about 8 months total) before assigning a CVE. This behavior is harmful, and it put their customers at unnecessary risk.”
And it’s not the kind of thing you can get away with when your business is literally threat detection and prevention in IT. This stinks of a coverup, which is always worse than the crime, cliché though that might be.