Users of Zyxel Firewall and VPN devices should update their devices as the current firmware might have a backdoor account. Researchers found over 100,000 Zyxel devices vulnerable as a backdoor account with admin privileges existed in the firmware.
Backdoor Account Discovered In Zyxel Firewall
Researchers from the Dutch cybersecurity firm Eye Control have found a backdoor account in Zyxel firewall and VPN gateways.
As elaborated in their blog post, the researcher found the backdoor account when rooting the device Zyxel USG40. This account with the username ‘zyfwp’ had admin privileges.
I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.
The account remained invisible in the interface. Also, changing the account’s password was also not possible.
This account also existed in the previous device firmware, but it had no password at that time. However, in the current firmware of the device, it had an unchangeable exposed password “PrOw!aN_fXp”.
Investigating the matter further revealed that this vulnerability exposed around 100,000 devices globally to the internet.
Regarding the impact of this flaw, the researchers explained that an adversary could easily exploit the bug for devastating cyberattacks. As stated,
As the zyfwp user has admin privileges, this is a serious vulnerability… Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.
Patch Device Firmware Now
Upon finding the vulnerability, soon after it appeared in the device firmware, the researchers reached out to Zyxel.
Eventually, Zyxel addressed the hardcoded credential vulnerability (CVE-2020-29583) with the latest firmware release 4.60-WK48. Describing the details in an advisory, the vendors stated that this account was supposed to deliver automatic firmware updates to connected access points via FTP.
The vulnerability affected the Zyxel USG, ATP, VPN, ZyWALL, or USG FLEX, whereas, the VPN series running SD-OS remained unaffected.
Users may also check this list to know about all vulnerable devices and the respective firmware to download.