Privacy & Security Admins urged to patch Zyxel network devices to close backdoor Howard Solomon @HowardITWC Published: January 4th, 2021Administrators whose networks include Zyxel devices are being urged to install the latest security updates after the discovery of a hard-coded plaintext password in the firmware of a wide number of firewalls, gateways, VPNs and other products that could be used for backdoor access to systems.The discovery was made by researchers at a Netherlands-based cybersecurity company called EYE and disclosed in a blog just before Christmas. The firm estimated through an internet search at that time that 100,000 Zyxel devices were vulnerable to attack.Zyxel says the following devices are affected. Patches can be downloaded here:FirewallsATP series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020USG series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020USG FLEX series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020VPN series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020AP controllersNXC2500 running firmware V6.00 through V6.10V6.10 Patch1 on Jan. 8, 2021NXC5500 running firmware V6.00 through V6.10V6.10 Patch1 on Jan. 8, 2021“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0),” wrote researcher Niels Teusink, who discovered the bug. “The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.“The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.”In his report, Teusink said that he was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, he says there are more than 100.000 devices that have exposed their web interface to the internet.“As the zyfwp user has admin privileges, this is a serious vulnerability,” he wrote. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”Would you recommend this article?00 Thanks for taking the time to let us know what you think of this article! We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →Jim Love, Chief Content Officer, IT World Canada Related Download Sponsor: CanadianCIO Cybersecurity Conversations with your Board – A Survival Guide A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA Download Now Privacy & Security patching, security strategies