A critical vulnerability discovered by a Dutch security specialist at EYE allows hackers to “completely compromise the confidentiality, integrity and availability” of more than 100,000 Zyxel firewalls, VPN gateways, and access point controllers.
Spotted by ZDNet, the underreported vulnerability was created by an exposed username and password with administrator privileges, which is essentially a hardcoded backdoor to the devices. The backdoor allows hackers to gain root access, or complete control, to the devices through both the SSH and web administration interface panel, the outlet reported. Firewalls affected, which are running firmware ZLD V4.60, include the ATP series, USG series, USG FLEX series, and VPN series. The NXC2500 and NXC5500 AP controllers have also been compromised.
A full list of affected devices and their patches is available here.
Niels Teusink, the senior cybersecurity specialist at EYE who discovered the exposed username and password, said that the vulnerability could be devastating to small and medium-sized businesses when combined with others. The specialist explained that the plaintext password was visible in one of the binaries on the system.
“An attacker could completely compromise the confidentiality, integrity and availability of the device,” Teusink wrote in a report about the vulnerability. “Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device.”
Teusink highlighted that Zyxel— which provides network products to a variety of clients, from personal to enterprise—is a popular firewall brand for small and medium-sized businesses. Given that a lot of people are working from home, VPN-capable devices, such as Zyxel’s USG product line which is often used as a firewall or VPN gateway, have been selling well lately, he said.
Zyxel said that the exposed account was designed to deliver automatic firmware updates to connected access points through FTP. In an advisory about the incident, the company affirmed that it urged users to install the applicable updates.
EYE reported the backdoor to Zyxel at the end of November and said the company responded promptly and proceeded to address the issue. Zyxel published its advisory about the incident in late December and has issued patches for some, but not all, of the affected devices. The patch for some of its AP controllers, for instance, will be released in April.
Vulnerabilities like these have become increasingly more common in recent years. In the case of VPNs, the Cybersecurity and Infrastructure Security Agency warns that since they are 24/7, organizations are less likely to keep them updated with the latest security updates and patches. This was echoed by Teusink, who stated that in EYE’s experience, most users of the affected devices do not update the firmware very often.