A crucial vulnerability found by the Dutch security specialist at EYE enables hackers to "completely compromise the confidentiality, integrity and availability" of more than 100,000 Zyxel firewalls, VPN gateways, and access point controllers.
Spotted by ZDNet, an underreported vulnerability has been created by an exposed username and password with administrator privileges, which is a hardcoded backdoor device. The backdoor enables hackers to gain root access or full power, to devices through both the SSH and site administration interface panels recorded by the outlet. The affected firewalls running the ZLD V4.60 firmware include the ATP series, the USG series, the USG FLEX series, and the VPN series. The NXC2500 and NXC5500 AP controllers were also compromised.
A full list of affected devices and their patches can be found here: https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
Niels Teusink, EYE's senior cybersecurity expert who found the exposed username and password, said that the vulnerability could be catastrophic for small and medium-sized companies when combined with others. The specialist clarified that the plaintext password was visible in one of the device binaries.
"An attacker could completely compromise the confidentiality, integrity, and availability of the device," Teusink wrote in a vulnerability report. "Somebody could, for example, change the firewall settings to allow or block certain traffic. They might also intercept traffic or set up VPN accounts to gain access to the network behind the computer."
Teusink stressed that Zyxel—which provides network products to a broad range of customers, from personal to business—is a familiar firewall brand for small and medium-sized enterprises. Given that many people work from home, VPN-enabled devices, such as Zyxel's USG product line, often used as a firewall or VPN gateway, have been selling well lately.
Zyxel claimed that the exposed account was configured to deliver automatic firmware updates to FTP's connected access points. In an incident warning, the company reported that it advised users to install the updates in force.
EYE disclosed the backdoor to Zyxel at the end of November and said that the company replied promptly and continued to fix the problem. Zyxel released its report on the incident at the end of December and provided patches for some, though not all, of the affected devices. For example, a patch for some of its AP controllers will be published in April.
Vulnerabilities like these have become increasingly popular in recent years. In the case of VPNs, the Cyber Security and Infrastructure Security Agency warns that because they are 24/7, organizations are less likely to keep them up to date with the latest security updates and patches. This was reiterated by Teusink, who said that most users of the affected devices do not update the firmware very much in EYE's experience.
We've all got plenty to worry about without worrying about being hacked, so do your best to stop it.