Vulnerabilities in WatchGuard firewalls and Microsoft Windows and Windows Server need to be patched and fixed immediately, security organizations said in alerts this week.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to patch a critical WatchGuard firewall vulnerability (CVE-2022-23176) that affects the Fireware operating system running on WatchGuard Firebox and XTM appliances, and government agencies have been told to patch the flaw by May 2.
The vulnerability has a high severity score of 8.8 and impacts Fireware OS versions before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.
The vulnerability has been exploited by the Sandworm threat group – which was the subject of another urgent threat alert this week – and allows a remote attacker with unprivileged credentials “to access the system with a privileged management session via exposed management access.”
Sandworm used malware dubbed “Cyclops Blink” to create a botnet that performs CVE-2022-23176 exploits and turns the infected devices into command and control servers. WatchGuard estimated that only a limited number (around 1%) of firewall appliances were affected, though.
Last week, the botnet was disrupted by the U.S. Justice Department before doing more damage, but Firebox devices remain vulnerable. Defenders and administrators must apply mitigations recommended by WatchGuard to clean infected devices before updating them to the latest Fireware OS version.
WatchGuard indicates that “remediation steps differ from the usual upgrade steps you might be used to.” Indeed, applying usual steps would not fix the problem in this case.
Whether your firewall has been compromised or not, you must patch to the latest version of Fireware to prevent the exploit. WatchGuard provides a detailed 4-Step Cyclops Blink Diagnosis and Remediation Plan that includes the following advisories:
- Use unique passwords for each Firebox
- Update passwords regularly
- Secure management ports (Cyclops Blink modifies allowed ports)
Defenders who need to conduct forensic investigations to find IoCs (indicators of compromise) by the Sandworm APT group must do so before the recommended remediation steps.
Windows Vulnerability Allows Remote Code Execution
Microsoft this week issued a patch for CVE-2022-26809, a critical remote code execution vulnerability in the Remote Procedure Call (RPC) runtime library.
The flaw could allow remote, unauthenticated attackers to take control of an affected system, a critical vulnerability requiring immediate patching.
Microsoft recommended blocking TCP port 445 at network firewalls, but added that that wouldn’t prevent attacks from within the network, so patching remains the critical mitigation here.
In a busy week for security vulnerabilities, CISA added new flaws to its catalog of known exploited vulnerabilities almost every day. The agency added 28 new vulnerabilities in all to bring the list to 644.
Also read: The Top Vulnerability Management Tools