Home>Blog>The Hacker News Headlines>Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products
The Hacker News Headlines

Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products

Zyxel Firewall, VPN Backdoor AccountZyxel Firewall, VPN Backdoor Account

Zyxel has released a patch to address a critical vulnerability
in its firmware concerning a hardcoded undocumented secret account
that could be abused by an attacker to login with administrative
privileges and compromise its networking devices.

The flaw, tracked as CVE-2020-29583[1]
(CVSS score 7.8), affects version 4.60[2]
present in wide-range of Zyxel devices, including Unified Security
Gateway (USG), USG FLEX, ATP, and VPN firewall products.

EYE researcher Niels Teusink[3]
reported the vulnerability to Zyxel on November 29, following which
the company released a firmware patch (ZLD V4.60 Patch1) on
December 18.

According to the advisory[4]
published by Zyxel, the undocumented account (“zyfwp”) comes with
an unchangeable password (“PrOw!aN_fXp“) that’s not only
stored in plaintext but could also be used by a malicious
third-party to login to the SSH server or web interface with admin
privileges.

Zyxel said the hardcoded credentials were put in place to
deliver automatic firmware updates to connected access points
through FTP.

Noting that around 10% of 1000 devices in the Netherlands run
the affected firmware version, Teusink said the flaw’s relative
ease of exploitation makes it a critical vulnerability.

“As the ‘zyfwp‘ user has admin privileges, this is a
serious vulnerability,” Teusink said in a write-up. “An attacker
could completely compromise the confidentiality, integrity and
availability of the device.”

“Someone could for example change firewall settings to allow or
block certain traffic. They could also intercept traffic or create
VPN accounts to gain access to the network behind the device.
Combined with a vulnerability like Zerologon[5]
this could be devastating to small and medium businesses.”

The Taiwanese company is also expected to address the issue in
its access point (AP) controllers with a V6.10 Patch1 that’s set to
be released in April 2021.

It’s highly recommended that users install the necessary
firmware updates to mitigate the risk associated with the flaw.

References

  1. ^
    CVE-2020-29583
    (nvd.nist.gov)
  2. ^
    version
    4.60     (businessforum.zyxel.com)
  3. ^
    Niels
    Teusink     (www.eyecontrol.nl)
  4. ^
    advisory
    (www.zyxel.com)
  5. ^
    Zerologon
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.