Warning: Backdoor in Zyxel products

The National Cyber Security Centre SK-CERT warns of critical vulnerabilities in Zyxel firewalls, VPN gateways and AP controllers that can grant a remote attacker root access to vulnerable devices.

The vulnerability affects more than 100 000 Zyxel devices. The vulnerability tracked as CVE-2020-29583, is based on fact that the devices have a hidden, hardcoded admin-level backdoor account with a single username and password for all devices. The researchers discovered the plaintext password in one of the binary libraries, present in the device. The incriminated username and password are already publicly available from several sources on the Internet.

Affected systems include:

  • the Advanced Threat Protection (ATP) series – used primarily as a firewall – in version 4.60
  • the Unified Security Gateway (USG) series – used as a firewall and VPN gateway – in version 4.60
  • the USG FLEX series – used as a firewall and VPN gateway – in version 4.60
  • the VPN series – used as a VPN gateway – in version 4.60
  • the NXC series – used as a WLAN access point controller – in version 6.10

After successful intrusion into these devices, an attacker could gain access to other devices, and could also use compromised devices as a gateway to other attacks. For example, an attacker could change firewall rules, disrupt or intercept traffic, or create VPN accounts.

The National Cyber Security Centre SK-CERT therefore recommends:

  • Immediately update devices to the latest firmware version 60 Patch1 on the ATP, USG, USG FLEX and VPN series. If the immediate update is not possible, disconnect the devices from the network until they are updated.

The update of the NXC series won’t be available until April 2021. Therefore, we recommend the following for these devices:

  • Use a separate network interface for administration access that will be physically disconnected from the network, except when the device needs to be configured. Perform the configuration with physical access to the device, not over a public or private network.
  • If this is not possible, switch off the devices and replace them with another type of device.

For all types of devices, we also recommend the following additional steps immediately after the update or allocation of the administration interface:

  • Check the device configuration for the presence of unwanted settings (new or changed firewall rules and NAT rules, advanced threat detection disabled, etc.).
  • Check the presence of suspicious accounts on vulnerable devices.
  • As a precaution, change passwords to accounts on vulnerable devices to strong enough and unique.
  • If the same passwords have been used somewhere else, change these passwords as well, using unique and different ones for each account.
  • Monitor devices, focusing on non-standard connections or connection attempts. If allowed by configuration, also check past communication to the Internet as well as the private network.
  • In case of detection of a cybersecurity incident caused by this vulnerability, report an incident to the National Cyber Security Centre SK-CERT at https://www.sk-cert.sk/en/tips-and-tricks/report-an-incident/
  • Since this vulnerability wasn’t the only case of backdoor in Zyxel products[1], we do not recommend using Zyxel products in a critical part of your infrastructure.

Sources:

https://www.zyxel.com/support/CVE-2020-29583.shtml

https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html

https://www.zdnet.com/article/backdoor-account-discovered-in-more-than-100000-zyxel-firewalls-vpn-gateways/

https://www.bleepingcomputer.com/news/security/secret-backdoor-discovered-in-zyxel-firewall-and-ap-controllers/

[1] https://nvd.nist.gov/vuln/detail/CVE-2016-10401


« Späť na zoznam
Current threats
all publications
Links