Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products

[aum]

Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.

 

The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects version 4.60 present in wide-range of Zyxel devices, including Unified Security Gateway (USG), USG FLEX, ATP, and VPN firewall products.

 

EYE researcher Niels Teusink reported the vulnerability to Zyxel on November 29, following which the company released a firmware patch (ZLD V4.60 Patch1) on December 18.

 

According to the advisory published by Zyxel, the undocumented account ("zyfwp") comes with an unchangeable password ("PrOw!aN_fXp") that's not only stored in plaintext but could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.

 

Zyxel said the hardcoded credentials were put in place to deliver automatic firmware updates to connected access points through FTP.

 

Noting that around 10% of 1000 devices in the Netherlands run the affected firmware version, Teusink said the flaw's relative ease of exploitation makes it a critical vulnerability.

 

"As the 'zyfwp' user has admin privileges, this is a serious vulnerability," Teusink said in a write-up. "An attacker could completely compromise the confidentiality, integrity and availability of the device."

 

"Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses."

 

 

The Taiwanese company is also expected to address the issue in its access point (AP) controllers with a V6.10 Patch1 that's set to be released in April 2021.

 

It's highly recommended that users install the necessary firmware updates to mitigate the risk associated with the flaw.

 

Source

 

[mood]

Hackers Start Exploiting Recently Disclosed Zyxel Vulnerability

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials.

 

The attacks, currently small in numbers, target CVE-2020-29583, a vulnerability affecting several Zyxel firewalls and WLAN controllers that was publicly disclosed at the end of December.

 

Firmware updates that remove the bug are already available for some of the affected products, but attackers are seizing the moment, attempting to find vulnerable devices before patches have been applied.

 

Discovered by EYE security researchers, the issue impacts Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices and exists because the password for the undocumented user account zyfwp is stored in the firmware in plaintext.

 

The account is meant for the automatic delivery of firmware updates over FTP and has admin privileges. Thus, attacks targeting vulnerable devices could lead to the compromise of entire networks, researchers warn.

 

Starting January 3, security researchers at GreyNoise, a company that collects and analyzes Internet-wide scan and attack data, observed the first attempts to exploit this so-called “backdoor account” on Zyxel devices, and they say the attacks do not appear to be targeted in nature, but rather opportunistic.

“Yesterday we saw one device start opportunistically attempting to login to servers on the internet over SSH using the ‘backdoor’ username and password disclosed by Zyxel for CVE-2020-29583. Today, we saw two more, bringing us to a total of three (3) devices,” GreyNoise founder Andrew Morris told SecurityWeek via email.

While these are clear attempts to find and compromise vulnerable Zyxel devices that are exposed to the Internet, attribution is not as straightforward.

“One or more individuals, groups, organizations, or botnet operators” could be behind the attempts, Morris pointed out.

 

Source: Hackers Start Exploiting Recently Disclosed Zyxel Vulnerability