100,000 Zyxel Devices Vulnerable to BackdoorResearchers Say Flaw Affects VPN Gateways, AP Controllers and Firewalls
A firmware vulnerability in about 100,000 Zyxel products, including VPN gateways, access point controllers and firewalls, can be used to install a hardcoded backdoor that could give threat actors remote administrative privileges, according to the Dutch security firm Eye Control.
The flaw is tracked as CVE-2020-29583.
Zyxel, which has already posted patches for the vulnerability in some of its products, is urging its customers to immediately apply them. In an advisory, however, the company notes that a fix for its NXC access point controller series products would not be released until April.
On Monday, the Multi-State Information Sharing and Analysis Center, or MS-ISAC, issued an alert that the vulnerability poses a risk for large enterprises and government agencies that use the company's security and networking products.
While no exploits have been spotted in the wild, the MS-ISAC report notes that a threat actor could use the vulnerability to gain administrative access to the inner parts of a targeted network and further escalate privileges.
"This could allow the attacker to change firewall settings, intercept traffic and create VPN accounts to gain access to the network behind the device and other administrative functions," according to the MS-ISAC alert.
The vulnerability was discovered by the Eye Control researchers after Zyxel pushed out firmware update 4.60 patch 0, according to the report. The flaw was not present within previous versions of the firmware.
The vulnerability involves hardcoded credentials being used to update the firmware in the company's products.
"The account was designed to deliver automatic firmware updates to connected access points through FTP," according to the Zyxel security alert.
The Eye Control researchers found that this vulnerability creates an administrative account that does not appear in the products' user interface. It uses "zyfwp" as the username and a static plain-text password that anyone can see.
The researchers also found that a threat actor who identified that administrative account could then log into the device using the web interface or the Secure Shell - SSH - protocol.
"As [the] SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet," the Eye Control researchers say.
The MS-ISAC update notes that the username and password of this administrative account cannot be changed. If exploited, a threat actor would then gain remote access to the VPN, firewall or access point controller.
The affected models include Zyxel's business-grade devices, which are usually deployed across private enterprise and government networks. Among the affected products are the Advanced Threat Protection, or ATP, series, a firewall; the Unified Security Gateway, or USG, series, a hybrid firewall and VPN gateway; the USG FLEX series, also a hybrid firewall and VPN gateway; the VPN series, a VPN gateway; and the NXC series, which is used as a WLAN access point controller.
Other Vulnerable VPNs
Over the last several months, other security researchers and government agencies have warned about vulnerabilities in VPNs and access products.
For example, in November, the U.S. Cybersecurity and Infrastructure Security Agency warned about a password leak that could affect vulnerable Fortinet VPNs, which could lead to further exploitation.
The agency's alert followed security researchers reporting that threat actors claimed to have published the leaked passwords on underground forums. While CISA stopped short of confirming the authenticity of the password leak, the agency urged those using Fortinet equipment to check with the company about patches and to review logs to check for suspicious activity (see: CISA Warns of Password Leak on Vulnerable Fortinet VPNs).
In October, CISA warned that hackers could chain vulnerabilities, including the Fortinet VPN bug, with the Zerologon Windows Server flaw to target local networks in the U.S. CISA said hackers were using the tactics to gain access to election support systems within government networks, although no election data compromise was reported (see: Hackers Chaining 'Zerologon,' Other Vulnerabilities).