Zyxel’s Ridiculous Backdoor: Happy New Year, Now Patch Your Gear

Zyxel, maker of business-class networking gear, “accidentally” introduced a backdoor into its latest firmware. The hidden admin account can give hackers access to the networks of businesses and government agencies.

There are patches available, so get a wiggle on. IT staff shouldn’t think they’re going to ease into the new year.

Careless or deliberate? In today’s SB Blogwatch, we ask the inevitable questions.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: baby deer.

Taiwanese Trash

What’s the craic? Ravie Lakshmanan reports—“Secret Backdoor Account Found in Several Zyxel … Products”:

 A hardcoded, undocumented secret account … could be abused by an attacker to login with administrative privileges. [It] affects version 4.60 present in a wide-range of Zyxel devices, including Unified Security Gateway (USG), USG FLEX, ATP, and VPN firewall products.

The company released a firmware patch (ZLD V4.60 Patch1) on December 18. … The undocumented account … comes with an unchangeable password … that’s not only stored in plaintext but could also be used by a malicious third-party. … It’s highly recommended that users install the necessary firmware updates to mitigate the risk associated with the flaw.

Uh, yeah, you think? Catalin Cimpanu adds—“Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways”:

 [The] backdoor account … can grant attackers root access to devices via either the SSH interface or the web administration panel. [It] is considered as bad as it gets in terms of vulnerabilities.

Anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor. … Affected models include many of Zyxel’s top products from its line of business-grade devices, usually deployed across private enterprise and government networks.

Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been exploited to attack companies and government networks. The new Zyxel backdoor could expose a whole new set of [organizations] to the same type of attacks that we’ve seen over the past two years.

And Duncan Riley drives the point home: [You’re fired—Ed.]

 This isn’t the first time vulnerabilities have been found in Zyxel devices. … A study from the Fraunhofer Institute for Communication in July named Zyxel along with AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd. and AVM Computersysteme Vertriebs GmbH as having a range of security issues.

Who discovered it? Niels Teusink tells you what to do and when to do it—“Undocumented user account in Zyxel products (CVE-2020-29583)”:

 If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. … This is a serious vulnerability: An attacker could completely compromise the confidentiality, integrity and availability of the device.

When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash. … It seemed the vulnerability had been introduced in the latest firmware version … 4.60.

As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. … I was able to identify … more than 100,000 devices. … Combined with a vulnerability like Zerologon this could be devastating.

What’s worse than an easily exploited backdoor? Brama knows what:

 What’s worse is that Zyxel had a 2016 CVE for having a hardcoded plain text password in the firmware to elevate privileges of any user. This one’s worse as it doesn’t even need a non-privileged user.

And these are mostly corporate devices too. This level of not giving a **** when you’re in that business should end said business.

Although that’s too lenient for stareatgoats:

 You seem to assume that this was a mistake. What is to say that this was not deliberately planted albeit with plausible deniability?

But not very plausible, amirite? Aethedor has the solution:

 How about throw it in the trashcan and buy a new one from a more trustworthy manufacturer? This is totally unacceptable.

Hang on, though. spiderseverywhere blames the putative victim:

 Password authenticated SSH should never be exposed to the internet. If for some reason you have to have SSH available for remote connecting outside of a VPN tunnel, it should be set up to accept certificate based authentication only.

Meanwhile, sjames misquotes Arthur C. Clarke:

 Sufficiently crappy coding practices are indistinguishable from malice.

And Finally:

In a time of worry, we all need a little Yann Tiersen

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Marie Bellando-Mitjans (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 631 posts and counting.See all posts by richi