Zyxel has been tracking the recent activity of threat actors targeting Zyxel security appliances and has released firmware patches to defend against it. Updates now available! Users are advised to install the patches for optimal protection.
Based on our investigation, the threat actors attempt to access a device through WAN; if successful, they then try to log in with stolen, valid credentials or bypass authentication, and to establish SSL VPN tunnels with existing or newly created users accounts, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the devices’ configuration.
Zyxel has been collaborating with third-party security researchers to track the threat actors’ activities. Based on our investigation, they could be abusing a combination of attack vectors, including:
- Valid user credentials that they had previously harvested from the breach of past known vulnerabilities, potentially CVE-2020-29583 or CVE-2020-9054, were completely fixed in March and December 2020. We’ve observed the threat actors logging in using legitimate user-defined credentials with admin privileges, and in some cases, they also created new admin accounts.
- A newly uncovered authentication bypass vulnerability tracked as CVE-2021-35029, that did not properly sterilize input strings and could allow an adversary to gain access.
VPN, ZyWALL, USG, ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled are vulnerable.
Those running the Nebula cloud management mode are NOT affected.
How to find out if your firewall is affected?
Affected Firmware Version:
ZLD V4.35 to ZLD 5.01
(date codes and weekly version user, please follow the Mitigation SOP] We are working on a weekly version that includes these fixes and release them separately as soon as possible.
Zyxel has released standard firmware patches that remain the definitive solution to the issues for the affected models, as listed in the table below. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately for optimal network protection.
Thanks to the Spike Reply Cyber Security Team for working with us to investigate and fix this issue.
(You can use Online Firmware Update Service as the fastest way to upgrade the firmware)
How to upgrade USG devices via cloud-service
|All devices/All updates in one package||Download|
|USG FLEX 100||Download|
|USG FLEX 100W||Download|
|USG FLEX 200||Download|
|USG FLEX 500||Download|
|USG FLEX 700||Download|
Release Notes and Guidance Steps:
Vulnerability fix for web-based management interface of Zyxel USG/ZyWALL, USG FLEX, ATP and VPN series
- Two-Factor Authentication Enhancement
Supports configurable 2FA service port.
[Object -> Auth. Method -> Two-Factor Authentication -> Authorized Port
- Security Check Enhancement
Disables HTTP port automatically while allowing WAN management in security
- Password Change Reminder
Reminds privileged accounts to change their passwords for security.
- Security Policy Check
Shows misconfiguration of security policies through a pop-up notification, along with firmware update and change password reminder.
The Security Check will pop up after the firmware update finish and the admin logs in to the device.
Preview Example of filled out Security Check for Web Interface
The WAN access should belong to your Company WAN IP/Admin only access IP.
The SSL VPN should belong to the free GeoIP feature, i.e. Germany and Austria. If this is the area, your SSL VPN workers will log in to the device. After creating this Security Check, you can add more IPs or countries by Firewall settings.
It's recommended to separate "SSL VPN Port" from "WAN Port for Admin Login", the VPN worker can, i.e. use Port 8443 to login with SSL VPN, where the Admin Login access is fully restricted.
If you are unsure about this step, click "Cancel" and follow the Mitigation steps below in this article.
- Log Enhancement
Provides a log history when the user object has been changed.
You can identify with the Category "User" and Syslog Server or an E-Mail Alert if a user has login/log out of your device or an admin user is created or deleted. Setting up a Syslog Server entry on a USG.
- Initial Setup Wizard Enhancements
Helps users to enforce security policies against access to the web management interface and SSL VPN service from the Internet.
- Configurable SSL VPN and WAN Access
Separates access options on SSL VPN and WAN Access service.
How to use SSL VPN on a different port than the Web GUI
- GeoIP is now a Complimentary Feature.
Built-in GeoIP feature to strengthen security access-which is now available free of charge for the entire firewall range.
How to use the GeoIP feature
How to find out if your firewall is affected?
The following behaviour can potentially be a reason that you are affected:
- VPN Issues
- Routing Issue
- Traffic Issue
- Unknown Configuration parameters
- Additional Admin creation
One or multiple configuration changes shows up if your device is affected:
- Unknown Admin Accounts Created
[Configuration -> Object -> User/Group setting]
Fix Action: Delete all unknown Admin and User accounts
The User/Admin creation will be at the bottom (the last one in the list). Few examples could be:
(manage, zyxel_sllvpn, sslvpn_index, zyxel_ts, etc...) others/new unknown could happen too.
The accounts are usually at the bottom/last page of your account list.
- Unknown Policy Route created
[Configuration -> Routing -> Policy Route]
Fix Action: Delete Policy Route 1 if conditions matching
The Policy Route screen usually shows at position 1 an unknown Policy Route.
LAN1_Subnet -> to any -> Next-Hop -> AUTO
LAN1_Subnet -> to any -> Next-Hop -> VPN Tunnel
- Unknown Secure Policy/Firewall Rule created
[Configuration -> Secure Policy]
Fix Action: Delete the firewall rule, showing "loseang" in the description.
A newly created firewall rule show up, with the description "loseang" and usually the way "WAN to ZyWALL".
- Unknown SSL VPN Setup
[Configuration -> SSL VPN]
Fix Action: Delete the "SSL VPN" setup group/user
Typically a user named "zyxel_ts" or "zyxel_sllvpn" or "sslvpn_index" or "zyxel_vpn_test" is created and or this is the name of SSL VPN setup.
What can you do if you found the above mentioned points on your device?
1) Repair the device:
- Fix Action: Delete all unknown Admin and User accounts
- Fix Action: Delete Policy Route 1 if conditions matching
- Fix Action: Delete the firewall rule, showing "loseang" in the description
- Fix Action: Delete the "SSL VPN" setup group/user
2) Protect this device with the following changes and upgrade to the latest release firmware a
All protection changes are summarized in this video file:
a) Review the Firewall configuration (mandatory)
- Only allow Source IP, which is permitted to ZyWALL Zone Setup Assistance.
- Protect this with the GeoIP Country feature from your location Setup Assistance
- Make sure to set up all other not trusted connections from WAN to ZyWALL into a "deny" rule lower position as the allow rules.
b) Port Changes (suggest)
[Be careful - so modify Firewall first, and if you self connect by SSL VPN, it will reconnect you, don't block yourself]
- Change the port of HTTPS to another port. Setup Assistance
- Change the port for SSL VPN to another port which is not overlapping with HTTPS GUI Port
(ZLD 5.0 feature) Setup Assistance
c) Password changes (mandatory)
- Change the admin password
d) Setup 2-factor Login (optional) Setup Assistance
If you have any further questions or concerns about your network security, please contact our support team by submitting completing the support form here, or give us a call at 800-255-4101 option 5.