Security Incident Alert question

Martin_Kuchar
Martin_Kuchar Posts: 38
First Comment Friend Collector Second Anniversary
 Freshman Member
As is written in last Security Incident Alert email, we should restrict WAN to Zywall access to trusted IP addresses. If we do it, we will also kill all Secuextender VPN connections from not defined IP addresses?
«13

All Replies

  • mMontana
    mMontana Posts: 1,208
    50 Answers 1000 Comments Friend Collector Third Anniversary
     Guru Member
    edited June 2021
    AFAIK yes. Consider L2TP as a possible temporary replacement.
  • Mario
    Mario Posts: 102
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fourth Anniversary
     Ally Member
    Hi
    At ATP with firmware 5.0 you have the optioin to change the SSL VPN Port.

    But since Zyxel dosn't provide information about the problem, we don't know if this helps...
    Suggest to disable VPN during Covid is also not a smart plan...

  • Martin_Kuchar
    Martin_Kuchar Posts: 38
    First Comment Friend Collector Second Anniversary
     Freshman Member
    BTW, the security problem affects the ZLD firmware. What exactly is "ZLD" firmware?
  • mMontana
    mMontana Posts: 1,208
    50 Answers 1000 Comments Friend Collector Third Anniversary
     Guru Member
    AFAIK firmware since 4.xx
  • Martin_Kuchar
    Martin_Kuchar Posts: 38
    First Comment Friend Collector Second Anniversary
     Freshman Member
    thanks Mario and mMontana, but where the hell is Support Staff?? We need to know (not hope) if at least 2FA will safe us from the security problem! We cannot shut down VPN. And where is new, repaired firmware? Do Zyxel sleep? I am sure, my next router will be something with opensource firmware..
  • mMontana
    mMontana Posts: 1,208
    50 Answers 1000 Comments Friend Collector Third Anniversary
     Guru Member
    @Martin_Kuchar I am no part of Zyxel and i do not endorse current behavior, but i would like to remind some... things.

    • the head tech of Zyxel is in Taiwan, and if you don't know which is the "country" situation of Taiwan i suggest to take a ride on news to get a bigger picture of the situation.
      My timezone is -7 compared to Taiwan. IMVHO someone is still sleeping now. In the human way, not mocking them.
      Also, among Zyxel partners and offices, I don't know who's entitled to answer to questions without express authorization.
    • Before any declaration, info must be accurate, verified. Currently the declaration is "close the doors". I also would like to know more about the issue, the way to solve it, but as far as I don't like to not know enough, i prefer it to "too many communications, sometimes contradictory".
    • As stated in other places about other things (spectre-meltdown) i prefer a good solution (efficient, effective, stable, verified) instead of a quick and not so nice solution, maybe with bigger holes than the ones it's trying to close. Qualcomm issues with DSP few months ago should be a nice example.
      Also, FragAttack is taking tools for development (people, organization, testing, CPU power), the list of the involved devices is quite long.
    Am I happy? No. My "security" device is not perfect.
    Am I glad about not having the same features at this morning? No.
    Am I glad of this problem Zyxel "delivered" to my devices? No. (Also, i would love to have OpenVPN unmodifed client for SSLVPN).

    I received some useful info, i found issues, i complied to reduce footprint. If you (or who can take decisions into your company) is ready to take consequences for not reducing the footprint... it's your choice.
  • Zyxel_Vic
    Zyxel_Vic Posts: 269
    5 Answers First Comment Friend Collector Fifth Anniversary
     Zyxel Employee
    Hi @Martin_Kuchar
    We apologized for the inconvinence caused, based on our investigation so far, a small subset of Zyxel security appliances is targeted. Enabel 2FA will definately help secure the network. Also, you may follow the mitigation SOP to configure limited remote access while SSL VPN is needed.
    How to mitigate the threat by limiting the access sources — Zyxel Community

    We are also working on a mitigation firmware with further countermeasures to mitigate the threat. Will keep everyone posted.

     
  • Asgatlat
    Asgatlat Posts: 79
    First Comment Friend Collector Fifth Anniversary
     Ally Member
    hi all,
    i'm really confused with this situation, when you go to the Zyxel's article in their mail : 
    https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=018137&lang=EN
    it is saying FW4.62P2
    so if we have 4.63 we are safe from this situation ?  :'(
  • Mario
    Mario Posts: 102
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fourth Anniversary
     Ally Member
    @Zyxel_Vic you wirte: Enabel 2FA will definately help secure the network
    i agree, that 2FA is alway a good choice, but does it help in the current situation? according the mail, it's a bypass oft the auth, then a creation of a new user - this one dosn't have 2FA enabled...
    can 2FA avoid this?


  • kyssling
    kyssling Posts: 99
    First Comment First Answer Friend Collector Fifth Anniversary
     Ally Member
    Yes this is important Question : does it help in the current situation 2FA or not ? 

    I dont want hurry implement 2FA, training office user "you must login SecuExtender, you must login your email for code, you must now login to web and paste code to browser" - please add 2FA to SecuExtender client ...

Security Highlight