Security Incident Alert question

Agor76

mMontana said:

I'm not pleased to have see nothing more from Zyxel (or from representatives).

Security devices and felons are on the line 24/7, and this kind of weakness into a device which enable remote connectivity, should put on the line 24/7 the best efforts in research, test, and customer care.

Exactly, security devices are meant to protect us from malicious behaviors, but what we got here is that they're acting as the main vector for a possible breach. No device is immune from vulnerabilties today, but again, we're talking about firewalls, they're not something that you could simply shutdown. Critical threats should be fixed immediatly!!!!
I'm start to thinking to move away from Zyxel, silence is unacceptable for a company who makes security devices these days.
By the way, thank you mMontana for sharing advices, at least we have our community.

Agor

Mario

New Firmware for ATP is out. According to release note:

[...]

[ENHANCEMENT] To strengthen security access under Covid19 pandemic,
given GeoIP feature by default on all devices.

Thanks for this Zyxel!! Sti

mMontana

As far as i can see, also 4.64 is out for "older devices".

From the Changelog

Modifications in V4.64(AALA.0)C0 -2021/06/26

1. [ENHANCEMENT] The new Initial Setup Wizard will facilitate user to enforce security policies against access to the web management interface and SSL VPN service (from the Internet).

2.[ENHANCEMENT] Add Security Policy Check to spot out misconfiguration of security policies via pop-up window.3.[ENHANCEMENT] Add configuration change log of user object.

4.[ENHANCEMENT] To strengthen security access under Covid19 pandemic, given GeoIP feature by default on all devices.

5.[ENHANCEMENT] Support SSL VPN service port configurable

This come from release notes for USG40.

Zyxel_Vic

Hi @mMontana, @ChipConnJohn, @Agor76
Thanks for all your input and valuable sharing. 

Based on our investigation so far, HTTPS is the primary attack vector, and once the attempt is successful, it results in symptoms such as unknown user accounts being created. We haven’t observed any direct correlation between this attack and the previous hardcoded account vulnerability.

To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release

https://community.zyxel.com/en/discussion/10971/zld4-64-5-01-firmware-release#latest

 

Sconsulting

Zyxel_Vic said:

Hi @mMontana, @ChipConnJohn, @Agor76
Thanks for all your input and valuable sharing. 

Based on our investigation so far, HTTPS is the primary attack vector, and once the attempt is successful, it results in symptoms such as unknown user accounts being created. We haven’t observed any direct correlation between this attack and the previous hardcoded account vulnerability.

To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release

https://community.zyxel.com/en/discussion/10971/zld4-64-5-01-firmware-release#latest

 

Hi @Zyxel_Vic

So does this essentially mean that Zyxel does not know whether an actual remote code execution vulnerability exists?  What do you exactly mean by "attack vector"?  Are we talking about brute-forcing passwords or taking advantage of an actual RCE vulnerability in the firmware? Until now all of the communication from Zyxel has been extremely vague, leading to speculation and rumors.  I can understand if Zyxel cannot release any details due to security matters, however then it would be just a matter of announcing "we've identified the vulnerability and will provide a fix shortly".  I just have the impression that Zyxel is clueless in terms of how the threat actors got in.

The recent patch is nice in terms of offering the Geo-IP feature at no cost, however this is only a workaround.  Changing port numbers and limiting access on a geographical scope can be considered security by obscurity, which can be easily circumvented by a sophisticated threat actor.

I'd appreciate it if Zyxel would release a clear PR statement of the current state of affairs without any vague language.  

Thank you.

 

mMontana

Sconsulting said:
The recent patch is nice in terms of offering the Geo-IP feature at no cost, however this is only a workaround. Changing port numbers and limiting access on a geographical scope can be considered security by obscurity, which can be easily circumvented by a sophisticated threat actor.

I'd appreciate it if Zyxel would release a clear PR statement of the current state of affairs without any vague language.  

Thank you.

I stand by your opinion and share your concerns.

On the other side, without solutions or info sharing, "stating the nothing" could be a double-edged sword for Zyxel, and i can understand why, until now, only "new firmware" is what has been told.

Saying that i can understand do not means that it'll be enough. Sooner or later I'm expecting disclosures on how attack was completed and what has been done to avoid similar breaches in future.

Reducing the footprint is important, but a broken lock cant' be considered safe with a bigger metal guard for the keyway.