Security Market Segment LS
Friday, 08 April 2022 05:17

WatchGuard accused of delaying flaw details, company contests report Featured

WatchGuard accused of delaying flaw details, company contests report Image by OpenClipart-Vectors from Pixabay

American security company WatchGuard has been accused of withholding full details of a remotely exploitable vulnerability in its firewall devices until news broke that the flaw was being exploited by attackers from Russia's military to assemble a botnet, according to a report in the American website Ars Technica.

However, WatchGuard communications director Chris Warfield told iTWire in reply to a query that the report was "grossly inaccurate and misrepresentative of the actual facts. We are currently seeking correction with the publication".

Ars Technica had made no changes in its report, written by veteran security journalist Dan Goodin, at the time of writing.

Contacted for comment, Goodin said: "I just updated the post to correct the first date WatchGuard made reference to the CVE. It came in February, when the company quietly updated the release notes for the May 2021 software update. Otherwise the post is accurate. Please check out my updated post." 

The website linked to a FAQ that it says WatchGuard put online after it was revealed by the FBI in a court document that the company's firewalls hacked by the Russian group were “vulnerable to an exploit that allows unauthorised remote access to the management panels of those devices". WatchGuard claims this FAQ was released on 23 February.

The FBI document was attached to a statement from the US Department of Justice announcing that it had disrupted the botnet in question in March.

WatchGuard claimed in the FAQ that the flaw in question, CVE-2022-23176, which had a score of 8.8 out of a possible 10, was “fully addressed by security fixes that started rolling out in software updates in May 2021".

But the vulnerability was hardly referred to in the documentation accompanying the May 2021 updates, according to the report.

A company statement at that time said: "These releases also include fixes to resolve internally detected security issues. These issues were found by our engineers, and not actively found in the wild.

"For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws."

In the FAQ released on Wednesday, Ars Technica said WatchGuard claimed: "This vulnerability was fully addressed by security fixes that started rolling out in software updates in May 2021. WatchGuard’s own investigation, as well as an assessment conducted by Mandiant, did not find evidence the threat actor exploited a different vulnerability." WatchGuard claims this FAQ was released on 23 February.

The company said it had been notified on 30 November 2021 by the FBI and the UK National Cyber Security Centre about an ongoing investigation into Cyclops Blink, a sophisticated state-sponsored botnet that affected network devices from multiple vendors, including a very limited number (less than 1%) of WatchGuard firewall appliances.

"In response to this co-ordinated attack, on February 23, 2022, WatchGuard developed and released a set of simple and easy-to-use Cyclops Blink detection tools, as well as a 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers and partners to diagnose, remediate if necessary, and prevent future infection," the statement said.

"Once taken, these steps eliminate the threat posed by malicious activity from Cyclops Blink."

Warfield provided the following timeline "for when and how WatchGuard disclosed, patched, and communicated the security vulnerability exploited by Cyclops Blink. This information is all publicly available on our blog, FAQ, and the support section of our website".

"12 May 2021: WatchGuard disclosed the security issue immediately upon internally discovering and patching it. At this point, the company was not aware of Cyclops Blink or the fact that the vulnerability had been exploited.

"30 November 2021: The FBI notified WatchGuard of Cyclops Blink, at which point WatchGuard determined that the prior vulnerability, for which a patch had already been distributed, could be the vector for Cyclops Blink. WatchGuard then immediately began working to develop Cyclops Blink detection and remediation tools. We also actively and intensely coordinated with the government to allow for a coordinated and responsible disclosure. At this point, as stated in our FAQ posted on 23 Feb: 'The DoJ and court orders directed WatchGuard to delay disclosure until official authorisation was granted. The relevant government agencies informed WatchGuard that they had no evidence of data exfiltration from our customers’ network environments. This disclosure process is also consistent with standard industry principles of responsible disclosure'.

"12 January 2022: The company created the CVE, though it was still not authorised to post or provide any information publicly or to any third parties.

"23 February 2022: Immediately following official authorisation from the DoJ, and in tandem with the joint government advisory first disclosing Cyclops Blink, the company published its Cyclops Blink FAQ, which disclosed details of the vulnerability. This information was proactively communicated to our entire customer and partner base utilising every communications vehicle the company had available, our Corporate News Blog, the dedicated microsite, via a series of direct emails, and via persistent alerts in our Partner and Support Portals, as well as, through in-product notifications within WatchGuard Cloud and WSM.

"24 February 2022: WatchGuard published the CVE, updating the release notes for all three firmware versions released on May 12, 2021 (Fireware 12.7 Update 1, Fireware 12.5.7 Update 3, and Fireware 12.1.3 Update 5.

"6 April 2022: WatchGuard updated its FAQ to reflect additional details of the government actions announced on 6 April. At this time, we also added the previously published CVE number to the FAQ for ease of reference."

Read 1767 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News