Administrators whose networks include Zyxel devices are being urged to install the latest security updates after the discovery of a hard-coded plaintext password in the firmware of a wide number of firewalls, gateways, VPNs and other products that could be used for backdoor access to systems.

The discovery was made by researchers at a Netherlands-based cybersecurity company called EYE and disclosed in a blog just before Christmas. The firm estimated through an internet search at that time that 100,000 Zyxel devices were vulnerable to attack.

Zyxel says the following devices are affected. Patches can be downloaded here:

Firewalls
ATP series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60ZLD V4.60 Patch1 in Dec. 2020
AP controllers
NXC2500 running firmware V6.00 through V6.10V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10V6.10 Patch1 on Jan. 8, 2021

“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0),” wrote researcher Niels Teusink, who discovered the bug. “The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.

“The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.”

In his report, Teusink said that he was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, he says there are more than 100.000 devices that have exposed their web interface to the internet.

“As the zyfwp user has admin privileges, this is a serious vulnerability,” he wrote. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”

Would you recommend this article?

0
0
Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada


Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now