Security Experts:

CISA Tells Orgs to Patch WatchGuard Flaw Exploited for Months Before Disclosure

The Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to patch a WatchGuard firewall vulnerability exploited in attacks linked to a Russian state-sponsored threat actor. While the US government has known about the exploitation of this flaw for several months, federal agencies are apparently only now being told to patch it.

In fact, some experts believe that the entire disclosure process surrounding this vulnerability was poorly handled.

The existence of the vulnerability affecting WatchGuard firewalls came to light on February 23, when government agencies in the UK and US revealed that a threat actor known as Sandworm APT28 and Fancy Bear, which had been previously linked to Russia, had been using a piece of malware named Cyclops Blink.

Described as a replacement for the malware named VPNFilter, Cyclops Blink has been around since at least June 2019. Its main functionality is to send information about the compromised device back to a server and also to enable its operators to download and execute other files.

When the government agencies issued the public warning about Cyclops Blink attacks in February, they noted that the malware at the time had mainly targeted firewall appliances made by WatchGuard. It was later reported that ASUS routers have also been targeted.

In the attacks aimed at WatchGuard devices, the hackers had exploited a vulnerability that was silently patched by the vendor in May 2021, after being discovered internally.

The flaw, now tracked as CVE-2022-23176, affects the Fireware OS running on WatchGuard Firebox and XTM appliances. It allows a remote attacker with unprivileged credentials “to access the system with a privileged management session via exposed management access.”

WatchGuard learned from the FBI in late November 2021 that the Cyclops Blink botnet had been targeting its products. However, when the existence of Cyclops Blink came to light in February, the company did not release any technical information about the vulnerability, and the limited information that was made available mostly got buried in the noise generated by the botnet itself.

WatchGuard said the botnet attacks only affected less than one percent of its firewall appliances, but the investigation appears to be ongoing. In the meantime, the FBI said it took action to disable the botnet.

[ READ: CISA's 'Must Patch' List Puts Spotlight on Vulnerability Management Processes ]

While WatchGuard did inform customers at the time about a patched vulnerability being exploited, Ars Technica reported last week that the CVE identifier assigned to the flaw in February, CVE-2022-23176, was only added to WatchGuard documentation on Cyclops Blink this month. The CVE was also not mentioned in the government advisories released at the time. This could have made it more difficult for organizations to keep track of the vulnerability.

WatchGuard has argued that “the DOJ and court orders directed WatchGuard to delay disclosure until official authorization was granted.”

Will Dormann, vulnerability analyst at CERT/CC, has described WatchGuard’s handling of the bug as “poor vendor behavior.”

“When an update is released people can compare the before- and after-patch code to see what has changed, exposing the vulnerability. If things like CVE/CVSS are skipped, attackers have all that they need and defenders have nothing. DON'T DO THIS!” Dormann said on Twitter last week.

Another interesting aspect about the disclosure of CVE-2022-23176 is that CISA has only now added it to its Known Exploited Vulnerabilities Catalog, telling federal agencies on Monday that they need to address it by May 2. However, CISA has known about the flaw and its exploitation since at least November 2021 as the agency was involved in the investigation of the Cyclops Blink malware, alongside the FBI and the NSA.

This once again highlights the need for improved cybersecurity processes within the US government.

This comes just days after several senators introduced a bill whose goal is to improve the sharing of cybersecurity information between the DHS — CISA is an operational component under the DHS — and Congress. The lawmakers are displeased with the delays in Congress cybersecurity staff getting information from the DHS — these delays have raised concerns due to the increasing threat posed by Russia.

Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks

Related: CISA Adds 14 Windows Vulnerabilities to 'Must-Patch' List

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.