Tricky backdoor discovered in Zyxel firewalls

According to a report from bleepingcomputer.com more than 100,000 Zyxel firewalls and access point controllers contain a security vulnerability that allows external access to the admin account. The Dutch security company Eye discovered the barn door in the latest firmware 4.60 of some Zyxel devices. Apparently, a fixed pre-programmed access was left behind in a patch file.

The software of the devices can be maintained via the access account with user name zwyfp and fixed password. The credentials are not visible in the user administration, nor can the password be changed via this, but according to the security advisor Niels Teusik but access is possible via SSH as well as via the web interface. Therefore, access can still be used, especially since SSL VPN connections also run over the same port as the web interface and many users keep port 443 open.

Security gap plugged for the majority

The security company Eye had already been able to identify 3000 vulnerable Zyxel devices in the Netherlands. The vulnerability was discovered at the end of November. Zyxel has since withdrawn the firmware version ZLD V4.60 and replaced it with a patch. Affected are Zyxel devices of the series USG, ATP, VPN, ZyWALL or USG FLEX.

The security vulnerability is not completely harmless and was probably "overlooked". After all, it only took a few days for the security updates to be made available. Already after about a week since the vulnerability became known, Zyxel provided a first security update. According to Eye, the second patch was then provided for most devices as early as December 15, 2020, and another for all other affected access point controllers and firewalls on December 18.

However, WLAN access point controllers (for example, the NXC2500 and NXC5500 models) are also affected, for which a patch from Zyxel is not expected until around April.

Source: Eye/Heise