New Users added to Objects after firmware update
I have a question regarding the ZyWALL 110.
I recently updated the firmware to V4.63(AAAA.0). Today, I noticed two New Users added to Config > Object > User/Group. Are these default accounts? Can I delete them?
User name: manage
User name: zyxel_ts
Current devices: ZyWALL 110
Accepted Solution
-
We’re aware of the situation and have been working our best to investigate and resolve it.
In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”
Scenario#1
If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.
1. Add IP address object(s) to trusted addresses or trusted countries.
(Configuration > Object > Address/GeoIP)
2. Allow trusted IP addresses and Deny others traffic from Internet
(Configuration > Security Policy > Policy Control)
#1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.
#2. Deny other IP addresses that you do not trust to access your WebGUI.
3. Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.
(Configuration > System > WWW)
Change HTTPS connection port. e.g 17443
After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.
Scenario#2If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.
(Allowed services are for IPSec VPN/VRRP/GRE)
Make sure there is no HTTP/HTTPS WebGUI service port in service group.
We also suggest to change the admin password.
In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.
1
All Replies
-
yes - delete them. Also check to see if a test route was added to VPN > SSL VPN. If so, you should probably delete that also.
1 -
If your https service from wan is enabled, turn it off or change the port to another one.1
-
We’re aware of the situation and have been working our best to investigate and resolve it.
In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”
Scenario#1
If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.
1. Add IP address object(s) to trusted addresses or trusted countries.
(Configuration > Object > Address/GeoIP)
2. Allow trusted IP addresses and Deny others traffic from Internet
(Configuration > Security Policy > Policy Control)
#1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.
#2. Deny other IP addresses that you do not trust to access your WebGUI.
3. Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.
(Configuration > System > WWW)
Change HTTPS connection port. e.g 17443
After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.
Scenario#2If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.
(Allowed services are for IPSec VPN/VRRP/GRE)
Make sure there is no HTTP/HTTPS WebGUI service port in service group.
We also suggest to change the admin password.
In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.
1 -
What does this mean:"We’re aware of the situation and have been working our best to investigate and resolve it."Aganin a backdoor Account in a firmware upgrgrade?
0 -
Hi @MarioWe haven't observed any correlation about black account and we're investigating it and will keep you posted0
-
@Zyxel_Stanley Thanks for the information, also got the security alert over mail.Can you share some details, affectet firmware and IOC?@zigandzag writes about addet routes on the firewall, can you confirm?ThanksMario0
-
Hi @Mario
Based on our investigation so far, a small subset of Zyxel security appliances is targeted. Currently we haven’t observed any direct correlation with specific firmware versions. The most effective way is to check if there is any unknown SSL VPN user account, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, has been created. If not, your device is not affected, and please follow the mitigations below as a precaution.0 -
We had an attack attempt over the weekend.
Here is the IP address and ports they used to attempt to access our device:
191.101.132.5:1943
191.101.132.5:28693
They used our private admin accounts - they had the names of our private admin accounts.
They were not able to access our device because we had disabled WAN access for admins.
I am very concerned that they had knowledge of our private admin names.
I will update the firewalls with the latest firmware that Zyxel just released.
0 -
Is there a way to disable the Web GUI from displaying?
Scenario:
1. Enter IP address into web browser
2. Our Zyxel firewall device Web GUI appears
We do not want the Web GUI to appear if our IP address is entered into a browser. Is there a way to disable it?
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight