www.belgium.be Logo of the federal government

Zyxel Firewall and AP Controllers contain Credential vulnerability

Reference: 
Advisory #2021-0001
Version: 
1.0
Affected software: 
Zyxel ATP series running firmware ZLD V4.60
Zyxel USG series running firmware ZLD V4.60
Zyxel USG FLEX series running firmware ZLD V4.60
Zyxel VPN series running firmware ZLD V4.60
Zyxel NXC2500 running firmware V6.00 through V6.10
Zyxel NXC5500 running firmware V6.00 through V6.10
Type: 
Hardcoded Credential Vulnerability
CVE/CVSS: 

CVE-2020-29583 (CVSS 7.8)

Sources

Official Manufacturer: https://www.zyxel.com/support/CVE-2020-29583.shtml
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-29583

Risks

Firewall products are used to protect internal network infrastructure.
An adversary could use this credential vulnerability, found in the firmware, to gain remote administrative access to the device via its ssh server or the web interface.
Administrative access could be used to create additional users and vpn connections to gain access to the network(s) protected by the firewall.

Description

A specific version of Zyxel firewalls and AP controllers firmware contain a credential vulnerability. The user account (zyfwp) is undocumented and its password resides in clear text within the firmware. The account was designed to deliver automatic firmware updates to connected access points through FTP.

Recommended Actions

* CERT.be recommends upgrading Zyxel firewall firmware to version “ZLD V4.60 Patch1”.
* CERT.be recommends using Two-Factor Authentication (2FA) protection for admin and VPN connections configured on these devices.
* CERT.be recommends upgrading Zyxel AP controller firmware to version to “V6.10 Patch1” as soon as the patch from the manufacturer becomes available (08 Jan 2021).

References

Manufacturer:
- https://www.zyxel.com/support/CVE-2020-29583.shtml
- https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-pa...

Mitre:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29583

NVD:
- https://nvd.nist.gov/vuln/detail/CVE-2020-29583

Initial disclosure by EYE:
- https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-produc...

Other:
- https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-%20and-...
- https://www.cisecurity.org/advisory/a-vulnerability-in-zyxel-firewall-an...
- https://cisomag.eccouncil.org/over-100000-zyxel-devices-vulnerable-to-se...