The App Patrol signature release V1.0.0.20220310.0 may create parsing errors on devices for both on-premises / Standalone and on-cloud modes. The application patrol daemon will not work after updating this new signature. However, the rest of the UTM features keep running. However, the worst case is that the device may get stuck if the device did reboots further, no matter manually or by schedule.
Which devices are affected?
How can I check if I am affected?
Solution
Prevention
Recovery Steps and SOP
On-Premise / Standalone Recovery
Nebula Recovery Process
Which devices are affected?
ATP and USG FLEX with Firmware 5.00 Patch 0 - 5.21 Patch 0 and Application Signature Version: V1.0.0.20220310.0 in On-Premise or Nebula Mode.
How can I check if I am affected?
The device is not rebooted:
Check under Configuration -> Licensing -> Signature Update if the "App Patrol" Signature is Version: V1.0.0.20220310 - If yes, you are affected.
Please continue with the Solution.
If your device was already rebooted and stuck with Sys blinking:
You are affected, please follow the Recovery Steps and SOP
Solution:
For Nebula Cloud:
The Firmware will be ready on 3/16. Please wait 1 more day before executing the upgrade.
A Firmware Update is ready to fix the issue, and please upgrade to 5.21 Patch 1 Firmware.
You can do it by How to upgrade USG devices via cloud-service
Also, you can download the files from here and do it manually.
Upgrading the firmware of your security gateway/appliance device done properly (USG FLEX/ATP/VPN)
[It´s equal if you upgrade the firmware fix to Standby or Running Partition]
Download Firmware Package (All Model)
Device Model | Firmware Code | Download 5.21 Patch 1 Release Fix |
USG20-VPN | ABAQ | Download Now! |
USG20W-VPN | ABAR | Download Now! |
ATP100 | ABPS | Download Now! |
ATP100W | ABRW | Download Now! |
ATP200 | ABFW | Download Now! |
ATP500 | ABFU | Download Now! |
ATP700 | ABTJ | Download Now! |
ATP800 | ABIQ | Download Now! |
USG FLEX 100 | ABUH | Download Now! |
USG FLEX 100W | ABWC | Download Now! |
USG FLEX 200 | ABUI | Download Now! |
USG FLEX 500 | ABUJ | Download Now! |
USG FLEX 700 | ABWD | Download Now! |
Release Notes:
1. App Patrol signature V1.0.0.20220310.0
Fixed a parsing error in the Application signature V1.0.0.20220310.0. It may drive an error condition led to connectivity disruption.
2. High CPU Usage
Fix CPU abnormal loading issue
3. Zyxel-SI-1392, Zyxel-SI-1400
An authentication bypass vulnerability was found in the CGI program of ZLD firmware that could allow an attacker to bypass the web authentication and obtain administrative access to the device.
Affected Version: ATP Series: ZLD V4.32 Patch0 through ZLD V5.20 Patch0/USG FLEX Series: ZLD V4.50 Patch0 through ZLD V5.20 Patch0/VPN Series: ZLD V4.30 Patch0 through ZLD V5.20 Patch0
4. Zyxel-SI-1396
A cross-site scripting (XSS) vulnerability was found in the CGI program of ZLD firmware that could allow an attacker to execute malicious scripts through the web interface.
Prevention:
[Only do this step, if you don´t want to upgrade to 5.21 Patch 1 Fix and reboot device with current running Firmware to protect it] - Not recommended way!
In case of your environment is very critical or you expect a power outage, please use the following prevention command:
1.) Create an SSH or Web console Session
2.) Execute command: packet-trace extension-filter -w /db/etc/app_patrol/.md5sum
3.) Ctrl + C to terminate packet-trace(Stop it)
4.) You can close the Window now
5.) Reboot the device now if you see the same output as Step 2!
Recovery Steps and SOP:
In case your device already encounters this issue due to a reboot happening, we assist you in recovering the device as best as it's technically doable.
Preparation of Recovery
The first mandatory thing you will need is a Console / RS232 cable to start with the recovery. The recovery needs to be done On-Site and is not doable by a Remote Session.
Establish a Connection to Device
Baud Rate: 115200!
It's impossible to recover the device by pushing the Reset button or flash the Firmware by FTP!
On-Premise / Standalone Recovery, for Nebula, please scroll down!
Step 1 - Switch Partition & Backup Configuration
We try to achieve the following in the next steps!
1) Connect the console cable as explained in "Preparation of Recovery"
The issue looks like this:
2) Restart the device and enter debug mode by typing on the keyboard, i.e., Enter key multiple times when ready "Enter Debug Mode....."
Your configuration files may locate in:
Partition 1: Enter now: atcd 1
or
Partition 2: Enter now: atcd 2
One of them should boot successfully (SYS LED stops flashing). Please wait 15 minutes after Step 4!
3) Choose atcd 1 to load the partition number 1 or atcd 2 to boot partition number 2
4) Type atgo to reboot the device and boot up by other partition.
[Wait for max. 10 minutes now and check if Sys LED will be steady green]
[If you have previously saved the latest version and you have a local backup of your configuration, you can skip Step 5-8]
5) When the device is successfully booted (Sys not blinking anymore), go into FTP in Windows by typing ftp://192.168.1.1 (or the LAN IP of the device)
6) Enter username and password [Credentials may admin / 1234 or an older admin password]
7) Go into the new Window that popped up and go into Standby_Conf
8) Download all configuration files and check the right one by opening via Editor!
USG / ATP Series - Explaining the device partitions and the different types of configuration files
9) Open, for example, the "startup-config.conf" which should be the latest configuration file and check the Firmware Version in Header
Ensure to upgrade to firmware version 5.21 Patch 1 to avoid the configuration being not read correctly.
Security Products - Firmware Overview and History Downloads for FLEX, ATP, USG, VPN, ZYWALL
10) Apply the Firmware to the device on RUNNING Partition and reboot it.
11) Apply the configuration backup on running partition after successfully reboot
The result after Step 11)
RUNNING (previously the standby, as you changed it) is working with Firmware, for example, 5.20
STANDBY (the one which can't boot up) is waiting for the new Firmware Release to FIX it.
12) Upgrade our 5.21 Patch 1 to the "STANDBY Partition"
If you are stuck with the Recover SOP by any needs, feel free to be in touch with our Support Team to get assistance in your local language - How to contact the Support Team?
Nebula Recovery Process
Step 1 - Switch Partition & Backup Configuration
1) Connect the console cable as explained in "Preparation of Recovery"
2) Restart the device and enter debug mode by typing on the keyboard
Your configuration files may locate in:
Partition 1: atcd 1
or
Partition 2: atcd 2
One of them should boot successfully (SYS LED stops flashing). Please wait 15 minutes after Step 4!
3) Choose atcd 1 to load the partition number 1 or atcd 2 to boot partition number 2
4) Type atgo to reboot the device and boot up by other partition.
[Wait for max. 15 minutes now and check if Sys LED will be steady green]
[At this stage the device will not come Online to Nebula, as it's not in Nebula Mode, please follow the next steps!]
5) Press the RESET button on the device for 15 seconds
6) Re-login device Web GUI, choose Nebula Mode to connect the device to Nebula.
[Check Step 7, if you can't see this GUI]
[If WAN interface is static IP or PPPoE. please configure WAN settings after choosing Nebula Mode]
Note: You can skip this step if the wan interface is DHCP. The device will connect to the cloud automatically after the wan interface gets its IP address.
7) If you can't see Nebula GUI, the Firmware may be too old or stuck in Activation Wizard.
Go to this Page and download 5.20 Firmware ZIP File: Security Products - Firmware Overview and History Downloads for FLEX, ATP, USG, VPN, ZYWALL.
Then unpack the .zip file and manually upload the .bin file to the device.
8) Now RESET the device again
9) Now, you need to do the ZTP Process: How to register a USG FLEX/ATP/USG20(w)-VPN gateway in Nebula Control Center (NCC)
a) Un-Register the device from Nebula (copy Serial Number and Mac Address)
b) Re-Register the device into Nebula
c) Assign a device to the site
d) Choose "ZTP Deployment" - NOT NATIVE MODE! - configure WAN settings if not DHCP
e) An E-Mail with a Link is sent to you. Execute the link for configuration
f) The device is back Online into Nebula now
If you are stuck on any of the procedures ,please contact our support team
Comments
0 comments
Please sign in to leave a comment.