Security Incident Alert question

Martin_Kuchar

As is written in last Security Incident Alert email, we should restrict WAN to Zywall access to trusted IP addresses. If we do it, we will also kill all Secuextender VPN connections from not defined IP addresses?

mMontana

AFAIK yes. Consider L2TP as a possible temporary replacement.

Mario

Hi

At ATP with firmware 5.0 you have the optioin to change the SSL VPN Port.

But since Zyxel dosn't provide information about the problem, we don't know if this helps...

Suggest to disable VPN during Covid is also not a smart plan...

Martin_Kuchar

BTW, the security problem affects the ZLD firmware. What exactly is "ZLD" firmware?

mMontana

AFAIK firmware since 4.xx

Martin_Kuchar

thanks Mario and mMontana, but where the hell is Support Staff?? We need to know (not hope) if at least 2FA will safe us from the security problem! We cannot shut down VPN. And where is new, repaired firmware? Do Zyxel sleep? I am sure, my next router will be something with opensource firmware..

mMontana

@Martin_Kuchar I am no part of Zyxel and i do not endorse current behavior, but i would like to remind some... things.

• the head tech of Zyxel is in Taiwan, and if you don't know which is the "country" situation of Taiwan i suggest to take a ride on news to get a bigger picture of the situation.
  My timezone is -7 compared to Taiwan. IMVHO someone is still sleeping now. In the human way, not mocking them.
  Also, among Zyxel partners and offices, I don't know who's entitled to answer to questions without express authorization.
  
• Before any declaration, info must be accurate, verified. Currently the declaration is "close the doors". I also would like to know more about the issue, the way to solve it, but as far as I don't like to not know enough, i prefer it to "too many communications, sometimes contradictory".
• As stated in other places about other things (spectre-meltdown) i prefer a good solution (efficient, effective, stable, verified) instead of a quick and not so nice solution, maybe with bigger holes than the ones it's trying to close. Qualcomm issues with DSP few months ago should be a nice example.
  Also, FragAttack is taking tools for development (people, organization, testing, CPU power), the list of the involved devices is quite long.

Am I happy? No. My "security" device is not perfect.

Am I glad about not having the same features at this morning? No.

Am I glad of this problem Zyxel "delivered" to my devices? No. (Also, i would love to have OpenVPN unmodifed client for SSLVPN).

I received some useful info, i found issues, i complied to reduce footprint. If you (or who can take decisions into your company) is ready to take consequences for not reducing the footprint... it's your choice.

Zyxel_Vic

Hi @Martin_Kuchar

We apologized for the inconvinence caused, based on our investigation so far, a small subset of Zyxel security appliances is targeted. Enabel 2FA will definately help secure the network. Also, you may follow the mitigation SOP to configure limited remote access while SSL VPN is needed.
How to mitigate the threat by limiting the access sources — Zyxel Community

We are also working on a mitigation firmware with further countermeasures to mitigate the threat. Will keep everyone posted.

 

Asgatlat

hi all,
i'm really confused with this situation, when you go to the Zyxel's article in their mail : 
https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=018137&lang=EN
it is saying FW4.62P2
so if we have 4.63 we are safe from this situation ? 

Mario

@Zyxel_Vic you wirte: Enabel 2FA will definately help secure the network

i agree, that 2FA is alway a good choice, but does it help in the current situation? according the mail, it's a bypass oft the auth, then a creation of a new user - this one dosn't have 2FA enabled...

can 2FA avoid this?

kyssling

Yes this is important Question : does it help in the current situation 2FA or not ? 

I dont want hurry implement 2FA, training office user "you must login SecuExtender, you must login your email for code, you must now login to web and paste code to browser" - please add 2FA to SecuExtender client ...