Researchers at Eye Control security discovered a hard-coded admin-level backdoor account as a Zyxel firmware binary revealed username and password.
Admin-Level Backdoor Discovered in Zyxel Firewalls
A Dutch cybersecurity firm Eye Control’s team of security researchers has identified backdoor account in over 100,000 Zyxel firewalls, access point controllers, and VPN gateways. The hard-coded, admin-level account allows attackers to obtain root access to devices through the web administration panel or the SSH interface. Zyxel is a networking device manufacturer based in Hsinchu, Taiwan.
Easy to Exploit Vulnerability
Researchers stated that it is a serious issue in terms of vulnerabilities, and device owners must update their systems immediately. That’s because anyone can exploit it easily, from DDoS botnet operators to ransomware groups and state-sponsored hackers.
By abusing the backdoor account, cybercriminals can access vulnerable devices and infect internal networks to launch additional attacks. An attacker can log in to the device with administrative privileges and easily compromise the networking devices.
Researcher Niels Teusink states that this is a serious vulnerability because a threat actor can launch a range of attacks and ‘completely compromise the confidentiality, integrity, and availability of the device.
“Someone could, for example, change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon, this could be devastating to small and medium businesses,” Teusink stated in a blog post.
Wide Range of Zyxel Devices At Risk
The vulnerability was dubbed as a critical firmware flaw and tracked as CVE-2020-29583 with a 7.8 CVSS score. It was found in the Zyxel firmware. The flaw impacts a wide range of Zyxel devices, mainly those running version 4.0. The affected module also includes enterprise-grade Zyxel devices. This includes the Unified Security Gateway (USG), ATP series, NCX series, USG FLEX series, and VPN series.
Around 10% of the 1000 devices in the Netherlands use the affected firmware version, stated Teusink, which is why the vulnerability is regarded as critical. Most of the impacted devices are used at the edge of the Taiwanese company’s network. If compromised, attackers can easily launch new attacks against internal hosts.
Zyxel Released a Patch
Teusink notified Zyxel about the vulnerability on Nov. 29. On Dec. 18, the company released a firmware patch, ‘ZLD V4.60 Patch1.’ Patches are currently available for the USG FLEx series, ATP Series, USG, and VPN series. The patch for the NCX series will be released in April 2021.
Company’s Official Security Advisory
The company also published an advisory explaining that the flaw was present in a hard-coded undocumented account, ‘ zyfwp,’ with an unchangeable password, ‘PrOw!aN_fXp.’ The password was stored in plaintext and could be potentially exploited by a malicious third party.
According to Zyxel, the hardcoded credentials were placed to automatically deliver firmware updates via FTP to the connected access points. The company will address this issue in its AP (access point) controllers with a V6.10 Patch 1 due to be released in April 2021. Users are urged to update to the company’s latest firmware to keep their devices protected.