Is the user "manage" a "new default" from Zyxel?

mMontana
mMontana Posts: 424  Master Member
As topic title...

Best Answer

  • mMontana
    mMontana Posts: 424  Master Member
    Accepted Answer
    Closing time...
    Upgraded firmware to latest 4.65. "Uninvited" user deleted. Feeling better now.

Answers

  • Mario
    Mario Posts: 69  Ally Member

    Just got an important mail from Zyxel, about this topic. Take care about this!
    What kind of device do you have? What firmware version?

    ---- Mail from today ---

    Dear Customer,

    We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. Those running the Nebula cloud management mode are not affected.

    We’re aware of the situation and have been working our best to investigate and resolve it. The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as“zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the device’s configuration.

    Based on our investigation so far, we believe maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface; therefore, we strongly recommend that you follow the guidance and the SOP below:

     

    1.

    Unless you must manage devices from the WAN side, disable HTTP/HTTPS services from WAN.

    2.

    If you still need to manage devices from the WAN side:

    enable Policy Control and add rules to only allow access from trusted source IP addresses; and

    enable GeoIP filtering to only allow access from trusted locations.



  • mMontana
    mMontana Posts: 424  Master Member
    edited June 24
    These words were written about 1h30m ago...

    Answering to myself: no.

    I was suspecting that and i deleted the user from the firewalls, also applying a rule for lock out HTTPS access via WAN (hope to see you soon, SSLVPN).


    These words are timed as post time
    I manage several devices:
    USG20-VPN
    USG20W-VPN
    USG44
    USG60
    USG60W

    All of these were subsequently:
    • disabled public HTTPS access (allowed from LAN and IPSec)
    • removed "managed" user from user list (no other unknown users currently present)
    • de-activated SSL-VPN feature
    For all devices, version 4.63 "first one released" (not this one), hoping that @Zyxel_Cooldia or anybody for him/her could tell us a way for differentiate the two firmware releases.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 963  Zyxel Employee
    Hi @mMontana
    Based on our investigation so far, a small subset of Zyxel security appliances is targeted. Currently we haven’t observed any direct correlation with specific firmware versions. The most effective way is to check if there is any unknown SSL VPN user account, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, has been created. If not, your device is not affected, and please follow the mitigations below as a precaution. 

  • mMontana
    mMontana Posts: 424  Master Member
    edited June 25
    SSL VPN and public HTTPS access to devices are now not working for avoid another external and unwanted access.
    I hope you'll find soon the vulnerability and patch it.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 963  Zyxel Employee

    Hi @mMontana

    You can upgrade firmware to 4.64 version which support to separates WebGUI(HTTPS) and SSL VPN server port.

    (Configuration > VPN > SSL VPN > Global Setting)
    You can change SSL VPN Server port to others.(default is 443)


    Of cause you have to allow SSL VPN service port from WAN side in policy control rule.

    And you still could block HTTPS from WAN for better protection.

    (Configuration > Security Policy > Policy Control)

    After changing SSL VPN service port, the login portal still accessible, but it doesn’t allow non-SSL VPN user to login.

    If user would like to build SSL VPN tunnel, then user have to enter correct service port in SecuExtender.

    If your device already exist unsafe configuration, you can make sure if there is any unknown user in your configuration.

    If yes, you should remove the account and related rules for protect your network. (Configuration > Object > Users/Group)

    The screenshot is user list in 4.64 default configuration.


Security Highlight