<< Назад
Friday, 15 January 2021 19:19

More than 100 thousand ZyXel firewalls and VPN gateways contained backdoor

More than one hundred thousand firewalls, VPN gateways and access point controllers from Zyxel contained a hard-coded administrative backdoor account, which, if necessary, could open root access to cybercriminals to devices through the SSH interface or the administrator's web panel. According to the RK Computer Incident Response Service, a dangerous account was discovered by specialists of Eye Control, based in the Netherlands. [Profit]

Owners of all affected devices were advised to update them as soon as possible, since the vulnerability is really extremely unpleasant. Attackers of any level - from DDoS botnet operators, to government cyber groupings and creators of cryptographers - can use the discovered backdoor account to penetrate internal networks. Vulnerable devices include popular enterprise-class models from Zyxel. As a rule, such devices are used in private organizations and government networks. Experts have identified the following product lines whose owners should be afraid of the backdoor:

ATP series - used primarily as a firewall;

USG-series - used as a hybrid of a firewall and a VPN gateway;

USG FLEX series - also used as a firewall and VPN gateway;

VPN series - used exclusively as a VPN gateway;

NXC series - Used as a WLAN AP controller.

To date, patches are only available for ATP, USG, USG Flex, and VPN. According to an official Zyxel report, the NXC series will receive an update in April 2021. As researchers from Eye Control noted, the identified bador account used the username "zyfwp" and the password "PrOw! aN_fXp». All released patches close this undocumented access.

As experts noted, a password in the form of plaintext could be found in one of the system binaries. The account had root access on the device because it was used to install firmware updates.