![](\"https:\/\/media.wired.com\/photos\/624f3d3668e4cf22b8a370ce\/master\/pass\/WatchGuard-Firewall-Malware-Security-157420668.png\"\/)
<\/p>\n<\/p>\n
Credit to Author: Dan Goodin, Ars Technica| Date: Fri, 08 Apr 2022 13:00:00 +0000<\/strong><\/p>\n Dan Goodin, Ars Technica<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Security vendor WatchGuard<\/span> quietly fixed a critical vulnerability in a line of its firewall devices and didn\u2019t explicitly disclose the flaw until Wednesday, following revelations hackers from Russia\u2019s military apparatus exploited it en masse<\/a> to assemble a giant botnet. After law enforcement agencies warned the security vendor that a Russian hacking group had infected some of its firewalls, the company simply released a detection tool for customers.\u00a0<\/p>\n This story originally appeared on Ars Technica<\/a>, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Cond\u00e9 Nast.<\/p>\n Law enforcement agencies in the US and UK on February 23 warned that members of Sandworm<\/a>\u2014among the Russian government\u2019s most aggressive and elite hacker groups\u2014were infecting WatchGuard firewalls with malware<\/a> that made the firewalls part of a vast botnet. On the same day, WatchGuard released a software tool<\/a> and instructions<\/a> for identifying and locking down infected devices. Among the instructions was to ensure appliances were running the latest version of the company\u2019s Fireware OS.<\/p>\n In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were \u201cvulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.\u201d It wasn't until after the court document was public that WatchGuard published this FAQ<\/a>, which for the first time made reference to CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.<\/p>\n \u201cWatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,\u201d the description read. \u201cThis vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.\u201d<\/p>\n The WatchGuard FAQ said that CVE-2022-23176 had been \u201cfully addressed by security fixes that started rolling out in software updates in May 2021.\u201d The FAQ went on to say that investigations by WatchGuard and outside security firm Mandiant \u201cdid not find evidence the threat actor exploited a different vulnerability.\u201d<\/p>\n When WatchGuard released the May 2021 software updates, the company made only the most oblique of references to the vulnerability.<\/p>\n \u201cThese releases also include fixes to resolve internally detected security issues,\u201d a company post<\/a> stated. \u201cThese issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained.\u201d<\/p>\n According to Wednesday\u2019s FAQ, FBI agents informed WatchGuard in November that about 1 percent of the firewalls it had sold had been infected by Cyclops Blink<\/a>, a new strain of malware developed by Sandworm to replace a botnet the FBI dismantled in 2018<\/a>. Three months after learning of the infections from the FBI, WatchGuard published the detection tool and the accompanying 4-Step Diagnosis and Remediation Plan for infected devices. The company obtained the CVE-2022-23176 designation a day later, on February 24.<\/p>\n Even after all of these steps, including obtaining the CVE, however, the company still didn't explicitly disclose the critical vulnerability that had been fixed in the May 2021 software updates. Security professionals, many of whom have spent weeks working to rid the Internet of vulnerable devices, blasted WatchGuard for the failure to explicitly disclose.<\/p>\n \u201cAs it turns out, threat actors *DID* find and exploit the issues,\u201d Will Dormann, a vulnerability analyst at CERT, wrote in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. \u201cAnd without a CVE issued, more of their customers were exposed than needed to be.\u201d<\/p>\n He continued: \u201cWatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also had a second chance to assign a CVE when they were contacted by the FBI in November. But they waited for nearly 3 full months after the FBI notification (about 8 months total) before assigning a CVE. This behavior is harmful, and it put their customers at unnecessary risk.\u201d<\/p>\n WatchGuard representatives didn\u2019t respond to repeated requests for clarification or comment.<\/p>\n This story originally appeared on<\/em> Ars Technica<\/em><\/a>.<\/em><\/p>\n