Law enforcement agencies in the United States and the United Kingdom warned on February 23 that members of Sandworm – one of the Russian government’s most aggressive and elite hacker groups – were infecting WatchGuard firewalls with malware that made firewalls part of a huge botnet. . On the same day, WatchGuard released a software tool and instructions for detecting and locking infected devices. Among the instructions was to ensure that the devices were running the latest version of the company’s Fireware OS.

Putting customers at unnecessary risk

“WatchGuard Firebox and XTM devices allow a remote intruder with non-privileged credentials to access the system with a privileged management session through exposed management access,” the description states. “This vulnerability affects Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.” Advertising
When WatchGuard released the software updates for May 2021, the company made only the most obscure vulnerability reports. “These versions also include fixes for troubleshooting internal problems,” the company said in a statement. “These issues were identified by our engineers and were not actively found in nature. “In order not to guide potential threats to the discovery and exploitation of these internally discovered issues, we do not disclose technical details about these defects they contained.” Even after all these steps, including the acquisition of the CVE, however, the company did not explicitly reveal the critical vulnerability that had been fixed in the software updates of May 2021. Security professionals, many of whom have spent weeks working to get rid of the Internet from vulnerable devices, blamed WatchGuard for failing to explicitly disclose. “Threat agents * DID * are proving to be finding and exploiting the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He referred to WatchGuard’s explanation in May that the company was hiding technical details to prevent security issues from being exploited. “And without a CVE being issued, more of their clients were exposed than they should have been.” He continued: WatchGuard should have assigned a CVE when it released a vulnerability. They also had a second chance to commission a CVE when contacted by the FBI in November. But they waited almost 3 full months after being notified by the FBI (about 8 months in total) before commissioning a CVE. This behavior is harmful and puts their customers at unnecessary risk. WatchGuard representatives did not respond to repeated requests for clarification or comment.