Intro:
WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers
Silently fixed authentication bypass remained a secret even after it was under attack.
"Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw until Wednesday, following revelations hackers from Russia’s military apparatus exploited it en masse to assemble a massive botnet.
Law enforcement agencies in the US and UK on February 23 warned that members of Sandworm—among the Russian government’s most aggressive and elite hacker groups—were infecting WatchGuard firewalls with malware that made the firewalls part of a vast botnet. On the same day, WatchGuard released a software tool and instructions for identifying and locking down infected devices. Among the instructions was ensuring appliances were running the latest version of the company’s Fireware OS.
Putting customers at unnecessary risk
In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.” It wasn't until after the court document was public that WatchGuard published this FAQ, which for the first time made reference to CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.
“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the description read. “This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.”
The WatchGuard FAQ said that CVE-2022-23176 had been “fully addressed by security fixes that started rolling out in software updates in May 2021.” The FAQ went on to say that investigations by WatchGuard and outside security firm Mandiant “did not find evidence the threat actor exploited a different vulnerability.”
When WatchGuard released the May 2021 software updates, the company made only the most oblique of references to the vulnerability.
. . .Even after all of these steps, including obtaining the CVE, however, the company still didn't explicitly disclose the critical vulnerability that had been fixed in the May 2021 software updates. Security professionals, many of whom have spent weeks working to rid the Internet of vulnerable devices, blasted WatchGuard for the failure to explicitly disclose.
No comments:
Post a Comment