If you are using ZyXEL, better patch and pray…
If you remember Edward Snowden, then you probably may remember him revealing that Cisco and a few others were regularly putting backdoors into their routers and firewalls. Well, there is yet another firewall and infrastructure device vendor, which was discovered to do the same recently ZyXEL.
According to recent (Merry Christmas & Happy New Year!) research by a Dutch cybersecurity company Eye Control, there is a secret user account “zyfwp” added into customer’s firewalls by a firmware patch 4.6. If that wasn’t bad enough, then the password for that new account is actually quite easily obtainable.
We will not list the password here, but it looks like a short version of “professional wide open area network experience”.
We have also reached out to CERT-EE, the cybersecurity centre of Information System Authority of Estonia and got a clear suggestion from it’s Executive Director, Tõnu Tammer:
“Security vulnerabilities are regularly found in many products and those are described with official CVE’s(Common vulnerability and exposure). However, it’s also important to understand (and we know it well) that some vulnerabilities are not officially acknowledged and companies deploy software updates with those unofficial vulnerabilities. So, I advise all companies to regularly update the products they use but not to expect that the newest version will be free of security holes or some sort of asylum.”
So, if you are using ZyXEL advanced threat protection (ATP), ZyXEL unified security gateway (USG) and/or ZyXWALL, VPN or USG Flex make sure to patch. According ZyXEL’s own website, most of the products can be patched to remove this security disaster with the latest December patch. The only ones left vulnerable until January are ZyXEL NXC AP controllers.
Unfortunately, the practice of leaving backdoors and unprotected accounts is still rampant and it if you want your firewalls to be safe, make sure that none of these security vulnerabilities are left:
- Make sure that admin accounts are not “default” after every patch
- Deploy identity & access management practice/tools
- Ask your security partner to keep track of Darknet & security forums
- Use Network Detection and Response (NDR) for spotting abnormal traffic
CYBERS is helping many companies solving issues like this by providing a 24/7 Security Operations Centre (SOC) and reviewing cyber security in place.
Please contact us if you are an existing ZyXEL customer and our team will help you react to this issue.