American security company WatchGuard has been accused of withholding full details of a remotely exploitable vulnerability in its firewall devices until news broke that the flaw was being exploited by attackers from Russia’s military to assemble a botnet, according to a report in the American website Ars Technica.
However, WatchGuard communications director Chris Warfield told iTWire in reply to a query that the report was “grossly inaccurate and misrepresentative of the actual facts. We are currently seeking correction with the publication”.
Ars Technica has made no changes in its report, written by veteran security journalist Dan Goodin, at the time of writing.
Contacted for comment, Goodin said: “I just updated the post to correct the first date WatchGuard made reference to the CVE. It came in February, when the company quietly updated the release notes for the May 2021 software update. Otherwise the post is accurate. Please check out my updated post.”
The website linked to a FAQ that it says WatchGuard put online after it was revealed by the FBI in a court document that the company’s firewalls hacked by the Russian group were “vulnerable to an exploit that allows unauthorised remote access to the management panels of those devices”. WatchGuard claims this FAQ was released on 23 February.
The FBI document was attached to a statement from the US Department of Justice announcing that it had disrupted the botnet in question in March.
On top of that they do not have a #PSIRT team to handle these critical vulnerabilities appropriately, that should be a MAJOR concern for any watchguard customers moving forward. #cyclopsblink #infosec https://t.co/JbYjSZoWuS pic.twitter.com/SxPmSDKUEY
— Immanuel Chavoya (@FullM3talPacket) April 7, 2022
WatchGuard claimed in the FAQ that the flaw in question, CVE-2022-23176, which had a score of 8.8 out of a possible 10, was “fully addressed by security fixes that started rolling out in software updates in May 2021″.
But the vulnerability was hardly referred to in the documentation accompanying the May 2021 updates, according to the report.
A company statement at that time said: “These releases also include fixes to resolve internally detected security issues. These issues were found by our engineers, and not actively found in the wild.
“For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws.”
In the FAQ released on Wednesday, Ars Technica said WatchGuard claimed: “This vulnerability was fully addressed by security fixes that started rolling out in software updates in May 2021. WatchGuard’s own investigation, as well as an assessment conducted by Mandiant, did not find evidence the threat actor exploited a different vulnerability.” WatchGuard claims this FAQ was released on 23 February.
The company said it had been notified on 30 November 2021 by the FBI and the UK National Cyber Security Centre about an ongoing investigation into Cyclops Blink, a sophisticated state-sponsored botnet that affected network devices from multiple vendors, including a very limited number (less than 1%) of WatchGuard firewall appliances.
“In response to this co-ordinated attack, on February 23, 2022, WatchGuard developed and released a set of simple and easy-to-use Cyclops Blink detection tools, as well as a 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers and partners to diagnose, remediate if necessary, and prevent future infection,” the statement said.
that’s all they do.
The UTM concept provides outstanding value, and WatchGuard excels at being easy-to-use, scalable, and flexible.”
Paul Graydon, VP Strategic Accounts, BlackPoint IT Services
— MGySgt_USMC_0326 (@Mstgysgt0) April 6, 2022
“Once taken, these steps eliminate the threat posed by malicious activity from Cyclops Blink.”
Warfield provided the following timeline “for when and how WatchGuard disclosed, patched, and communicated the security vulnerability exploited by Cyclops Blink. This information is all publicly available on our blog, FAQ, and the support section of our website”.
“12 May 2021: WatchGuard disclosed the security issue immediately upon internally discovering and patching it. At this point, the company was not aware of Cyclops Blink or the fact that the vulnerability had been exploited.
“30 November 2021: The FBI notified WatchGuard of Cyclops Blink, at which point WatchGuard determined that the prior vulnerability, for which a patch had already been distributed, could be the vector for Cyclops Blink. WatchGuard then immediately began working to develop Cyclops Blink detection and remediation tools. We also actively and intensely coordinated with the government to allow for a coordinated and responsible disclosure. At this point, as stated in our FAQ posted on 23 Feb: ‘The DoJ and court orders directed WatchGuard to delay disclosure until official authorisation was granted. The relevant government agencies informed WatchGuard that they had no evidence of data exfiltration from our customers’ network environments. This disclosure process is also consistent with standard industry principles of responsible disclosure’.
“12 January 2022: The company created the CVE, though it was still not authorised to post or provide any information publicly or to any third parties.
“23 February 2022: Immediately following official authorisation from the DoJ, and in tandem with the joint government advisory first disclosing Cyclops Blink, the company published its Cyclops Blink FAQ, which disclosed details of the vulnerability. This information was proactively communicated to our entire customer and partner base utilising every communications vehicle the company had available, our Corporate News Blog, the dedicated Detection.WatchGuard.com microsite, via a series of direct emails, and via persistent alerts in our Partner and Support Portals, as well as, through in-product notifications within WatchGuard Cloud and WSM.
“24 February 2022: WatchGuard published the CVE, updating the release notes for all three firmware versions released on May 12, 2021 (Fireware 12.7 Update 1, Fireware 12.5.7 Update 3, and Fireware 12.1.3 Update 5.
“6 April 2022: WatchGuard updated its FAQ to reflect additional details of the government actions announced on 6 April. At this time, we also added the previously published CVE number to the FAQ for ease of reference.”