Administrators whose networks include Zyxel devices are being urged to install the latest security updates after the discovery of a hard-coded plaintext password in the firmware of a wide number of firewalls, gateways, VPNs and other products that could be used for backdoor access to systems.
The discovery was made by researchers at a Netherlands-based cybersecurity company called EYE and disclosed in a blog just before Christmas. The firm estimated through an internet search at that time that 100,000 Zyxel devices were vulnerable to attack.
Zyxel says the following devices are affected. Patches can be downloaded here:
Firewalls | |
ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
AP controllers | |
NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0),” wrote researcher Niels Teusink, who discovered the bug. “The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.
“The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.”
In his report, Teusink said that he was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, he says there are more than 100.000 devices that have exposed their web interface to the internet.
“As the zyfwp user has admin privileges, this is a serious vulnerability,” he wrote. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”