al capone
Advanced
- Joined
- 13.09.20
- Messages
- 159
- Reaction score
- 2,106
- Points
- 93
The vulnerability affects many popular Zyxel products from the line of business-class devices, usually deployed in private corporate and public networks.
image
Devices have a hard-coded zyfwp account with an immutable password. A remote attacker who is not authenticated can access the affected system via ssh or the web interface, using hard-coded credentials, and gain administrator privileges. The vulnerability has a maximum degree of danger - 10 points on the CVSS scale.
$ ssh [email protected]
Password: PrOw!aN_fXp
Router> show users current
No: 1
Name: zyfwp
Type: admin
(...)
Router>
According to a representative of Zyxel, the account is not associated with any malicious activity, and was only used to deliver automatic firmware updates via FTP. Zyxel recommends that you install the appropriate updates immediately. The vulnerability affects many popular Zyxel products from the line of business-class devices, usually deployed in private corporate and public networks. This includes the following devices:
Advanced Threat Protection (ATP) series - used primarily as a firewall
Unified Security Gateway (USG) series - used as a hybrid firewall and VPN gateway
USG FLEX series - used as a hybrid firewall and VPN gateway
VPN series - used as a VPN gateway
NXC series - used as a WLAN access point controller
Zyxel was informed of the problem at the end of November and partially fixed the vulnerability on December 18. The vulnerability is fixed in the ZLD V4.60 Patch1 firmware, and for the NXC2500 and NXC5500 access point controllers, the fix will be released in April 2021.
Security experts warn that any attacker, from DDoS botnet operators to state-sponsored hacker groups and ransomware gangs, can use this built-in account to access vulnerable devices and further infiltrate internal networks. The problem is compounded by the fact that the VPN service and the web interface for managing the device use port 443 by default, which is why many users left port 443 open for external requests and, thus, in addition to the VPN connection point, left the ability to log in to the web interface. According to preliminary estimates, more than 100 thousand vulnerable devices with open port 443 are available on the network.
Last year, Zyxel fixed a critical vulnerability in its network storage (NAS) systems that was already exploited by cybercriminals in real-world attacks. The CVE-2020-9054 vulnerability allowed an unauthorized attacker to remotely execute arbitrary code. Because of this, an attacker can exploit the vulnerability by including certain characters in the user name, and implement commands with web server privileges. Then, using the device's built-in setuid utility, it can run commands with superuser privileges.
image
Devices have a hard-coded zyfwp account with an immutable password. A remote attacker who is not authenticated can access the affected system via ssh or the web interface, using hard-coded credentials, and gain administrator privileges. The vulnerability has a maximum degree of danger - 10 points on the CVSS scale.
$ ssh [email protected]
Password: PrOw!aN_fXp
Router> show users current
No: 1
Name: zyfwp
Type: admin
(...)
Router>
According to a representative of Zyxel, the account is not associated with any malicious activity, and was only used to deliver automatic firmware updates via FTP. Zyxel recommends that you install the appropriate updates immediately. The vulnerability affects many popular Zyxel products from the line of business-class devices, usually deployed in private corporate and public networks. This includes the following devices:
Advanced Threat Protection (ATP) series - used primarily as a firewall
Unified Security Gateway (USG) series - used as a hybrid firewall and VPN gateway
USG FLEX series - used as a hybrid firewall and VPN gateway
VPN series - used as a VPN gateway
NXC series - used as a WLAN access point controller
Zyxel was informed of the problem at the end of November and partially fixed the vulnerability on December 18. The vulnerability is fixed in the ZLD V4.60 Patch1 firmware, and for the NXC2500 and NXC5500 access point controllers, the fix will be released in April 2021.
Security experts warn that any attacker, from DDoS botnet operators to state-sponsored hacker groups and ransomware gangs, can use this built-in account to access vulnerable devices and further infiltrate internal networks. The problem is compounded by the fact that the VPN service and the web interface for managing the device use port 443 by default, which is why many users left port 443 open for external requests and, thus, in addition to the VPN connection point, left the ability to log in to the web interface. According to preliminary estimates, more than 100 thousand vulnerable devices with open port 443 are available on the network.
Last year, Zyxel fixed a critical vulnerability in its network storage (NAS) systems that was already exploited by cybercriminals in real-world attacks. The CVE-2020-9054 vulnerability allowed an unauthorized attacker to remotely execute arbitrary code. Because of this, an attacker can exploit the vulnerability by including certain characters in the user name, and implement commands with web server privileges. Then, using the device's built-in setuid utility, it can run commands with superuser privileges.