Tag: ZyXEL | SpinSafe

Zyxel warns of flaws impacting firewalls, APs, and controllers

May 26, 2022/in Computer Security

Zyxel networking devices

Zyxel has published a security advisory to warn admins about multiple vulnerabilities affecting a wide range of firewall, AP, and AP controller products.

While the vulnerabilities aren’t rated as critical, they are still significant on their own and can be abused by threat actors as part of exploit chains.

Large organizations use Zyxel products, and any exploitable flaws in them immediately capture the attention of threat actors.

The four flaws disclosed in Zyxel’s advisory are the following:

CVE-2022-0734: Medium severity (CVSS v3.1 – 5.8) cross-site scripting vulnerability in the CGI component, allowing attackers to use a data-stealing script to snatch cookies and session tokens stored in the user’s browser.
CVE-2022-26531: Medium severity (CVSS v3.1 – 6.1) improper validation flaw in some CLI commands, allowing a local authenticated attacker to cause a buffer overflow or system crash.
CVE-2022-26532: High severity (CVSS v3.1 – 7.8) command injection flaw in some CLI commands, allowing a local authenticated attacker to execute arbitrary OS commands.
CVE-2022-0910: Medium severity (CVSS v3.1 – 6.5) authentication bypass vulnerability in the CGI component, allowing an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

The above vulnerabilities impact USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 AP controllers, and a range of Access Point products, including models of the NAP, NWA, WAC, and WAX series.

**Impacted firewall products** *(Zyxel)*

Zyxel has released the security updates that address the problems for most of the impacted models.

However, admins must request a hotfix from their local service representative for the AP controllers as a fix is not publicly available.

For the firewalls, USG/ZyWALL addresses the issues with firmware version 4.72, USG FLEX, ATP, and VPN must upgrade to ZLD version 5.30, and NSG products receive the fix via v1.33 patch 5.

While these vulnerabilities are not critical, it is still strongly advised that network admins upgrade their devices as soon as possible.

This advice is especially important for US companies as we head into a holiday weekend when it is…

Source…

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw – Threatpost

January 7, 2021/in Internet Security

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw Threatpost

Source…

Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways

January 2, 2021/in Internet Security

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.

Device owners are advised to update systems as soon as time permits.

Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.

Affected modules include many enterprise-grade devices

Affected models include many of Zyxel’s top products from its line of business-grade devices, usually deployed across private enterprise and government networks.

This includes Zyxel product lines such as:

the Advanced Threat Protection (ATP) series – used primarily as a firewall
the Unified Security Gateway (USG) series – used as a hybrid firewall and VPN gateway
the USG FLEX series – used as a hybrid firewall and VPN gateway
the VPN series – used as a VPN gateway
the NXC series – used as a WLAN access point controller

Many of these devices are used at the edge of a company’s network and, once compromised, allow attackers to pivot and launch further attacks against internal hosts.

Patches are currently available only for the ATP, USG, USG Flex, and VPN series. Patches for the NXC series are expected in April 2021, according to a Zyxel security advisory.

Backdoor account was easy to discover

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday.

Researchers said the account had root access to the…

Source…

Critical bugs in dozens of Zyxel and Lilin IoT models under active exploit

March 21, 2020/in Internet Security

Criminals are exploiting critical flaws to corral Internet-of-things devices from two different manufacturers into botnets that wage distributed denial-of-service attacks, researchers said this week. Both DVRs from Lilin and storage devices from Zyxel are affected, and users should install updates as soon as possible.

Multiple attack groups are exploiting the Lilin DVR vulnerability to conscript them into DDoS botnets known as FBot, Chalubo, and Moobot, researchers from security firm Qihoo 360 said on Friday. The latter two botnets are spinoffs of Mirai, the botnet that used hundreds of thousand of IoT devices to bombard sites with record-setting amounts of junk traffic.

The DVR vulnerability stems from three flaws that allow attackers to remotely inject malicious commands into the device. The bugs are: (1) hard-coded login credentials present in the device, (2) command-injection flaws, and (3) arbitrary file reading weaknesses. The injected parameters affect the device capabilities for file transfer protocol, network time protocol, and the update mechanism for network time protocol.

Read 4 remaining paragraphs | Comments

Biz & IT – Ars Technica

Tag Archive for: ZyXEL

Affected modules include many enterprise-grade devices

Backdoor account was easy to discover