An Exposed Username and Password Leaves Over 100,000 Zyxel Firewalls and VPN Gateways Open to Severe Attacks

An Exposed Username and Password Leaves Over 100,000 Zyxel Firewalls and VPN Gateways Open to Severe Attacks
Photo: Nicolas Asfouri / AFP, Getty Images

A critical vulnerability discovered by a Dutch security specialist at EYE allows hackers to “completely compromise the confidentiality, integrity and availability” of more than 100,000 Zyxel firewalls, VPN gateways, and access point controllers.

Spotted by ZDNet, the underreported vulnerability was created by an exposed username and password with administrator privileges, which is essentially a hardcoded backdoor to the devices. The backdoor allows hackers to gain root access, or complete control, to the devices through both the SSH and web administration interface panel, the outlet reported. Firewalls affected, which are running firmware ZLD V4.60, include the ATP series, USG series, USG FLEX series, and VPN series. The NXC2500 and NXC5500 AP controllers have also been compromised.

Microsoft Says SolarWinds Hackers Also Broke Into Its Source Code

The hackers behind the massive SolarWinds cyberattack, an operation allegedly backed by Russia that compromised networks at many U.S. agencies and Fortune 500 corporations, also broke into Microsoft’s internal systems and accessed the company’s most closely guarded secret: its source code.

Read more

A full list of affected devices and their patches is available here.

Niels Teusink, the senior cybersecurity specialist at EYE who discovered the exposed username and password, said that the vulnerability could be devastating to small and medium-sized businesses when combined with others. The specialist explained that the plaintext password was visible in one of the binaries on the system.

“An attacker could completely compromise the confidentiality, integrity and availability of the device,” Teusink wrote in a report about the vulnerability. “Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device.”

Teusink highlighted that Zyxel — which provides network products to a variety of clients, from personal to enterprise — is a popular firewall brand for small and medium-sized businesses. Given that a lot of people are working from home, VPN-capable devices, such as Zyxel’s USG product line which is often used as a firewall or VPN gateway, have been selling well lately, he said.

Zyxel said that the exposed account was designed to deliver automatic firmware updates to connected access points through FTP. In an advisory about the incident, the company affirmed that it urged users to install the applicable updates.

EYE reported the backdoor to Zyxel at the end of November and said the company responded promptly and proceeded to address the issue. Zyxel published its advisory about the incident in late December and has issued patches for some, but not all, of the affected devices. The patch for some of its AP controllers, for instance, will be released in April.

You Might Abandon Your New Year’s Resolutions, But the Internet Never Will

After the past year’s wall-to-wall cavalcade of death and dreck, it’s not a surprise to see a lot of folks stepping into 2021 with what can best be described as “modest expectations” for the world writ large and their Capacity To Deal with whatever it throws their way. This is...

Read more

Vulnerabilities like these have become increasingly more common in recent years. In the case of VPNs, the Cybersecurity and Infrastructure Security Agency warns that since they are 24/7, organisations are less likely to keep them updated with the latest security updates and patches. This was echoed by Teusink, who stated that in EYE’s experience, most users of the affected devices do not update the firmware very often.

We already have enough to worry about without thinking about getting hacked, so do your best to avoid it.