SSL VPN vulnerability of June 24th, 2021

If I'm understanding how this exploit works, Zyxel has hidden accounts in their devices that are being exploited to sign into the devices using SSL VPN.  (WTF! Hard coded accounts?!? Again?!?)

The 2FA is applied per user in the devices.

I cannot see these hidden accounts that are being used to gain access, so cannot turn on 2FA for those accounts.

Only solution is to shut off SSL VPN until there is a firmware fix or other solution?

I'd love to know I'm wrong here.  Am I?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 963  Zyxel Employee

    Hi @ChipConnJohn

    You can upgrade firmware to 4.64 version which support to separates WebGUI(HTTPS) and SSL VPN server port.

    (Configuration > VPN > SSL VPN > Global Setting)
    You can change SSL VPN Server port to others.(default is 443)

    Of cause you have to allow SSL VPN service port from WAN side in policy control rule.

    And you still could block HTTPS from WAN for better protection.

    (Configuration > Security Policy > Policy Control)

    After changing SSL VPN service port, the login portal still accessible, but it doesn’t allow non-SSL VPN user to login.

    If user would like to build SSL VPN tunnel, then user have to enter correct service port in SecuExtender.

    If your device already exist unsafe configuration, you can make sure if there is any unknown user in your configuration.

    If yes, you should remove the account and related rules to protect your network. (Configuration > Object > Users/Group)

    The screenshot is user list in 4.64 default configuration.

  • Zyxel_Vic
    Zyxel_Vic Posts: 246  Zyxel Employee
    Hi @ChipConnJohn
    Based on our investigation so far, HTTPS is the primary attack vector, and once the attempt is successful, it results in symptoms such as unknown user accounts being created. We haven’t observed any direct correlation between this attack and the previous hardcoded account vulnerability.
  • bind
    bind Posts: 5

    But the question is: Use the attackers a security breach in the http/s portal or use the attackers bad passwords to login to the firewall?

  • Mario
    Mario Posts: 69  Ally Member
    @bind fully agree with you, this is the important question! until now, we don't have this information.
    lets ask @mMontana, he had attacked devices. Did you have strong passwords on your device and a lockout policy for bad logons?
  • mMontana
    mMontana Posts: 429  Master Member
    "Strong" is a big word.
    Never less than 8 characters, mixed maiuscole, minuscole, numbers, no special chars (sometimes USGs do not take them that well). More recent ones are 14 charachters, same pattern, no dictionary words.

    SSL VPN is not available to users, L2TP is mostly used (due to availability on all OSes without install packages or buy licenses), IpSec with GreenBow is the second option.

  • Mario
    Mario Posts: 69  Ally Member
    Thanks for sharing. Was the "User Lockout Settings" enabled?
    If yes, I don't think this was bruteforce to get access.
  • bind
    bind Posts: 5
    Any news about that? Is there a security breach or not?

    I cannot only install a new firmware without the information what happend!

    Please zyxel give this information asap!

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 963  Zyxel Employee
    Hi @bind
    we are sitll investigate the issue and will release patch as soon as we can to address this incident. You may follow mitigation SOP to protect your private network until firmware is ready.
  • ChipConnJohn
    ChipConnJohn Posts: 9
    For my part, I haven’t been able to make sense of the vulnerability given what Zyxel is telling us. I have locked down WAN->Device allowing only IPs I specify to access. It hasn’t been too bad. I sent an email last week apologizing and directing users to a site that gives their wan ip and they email or text it to me and I add it to the device. 

Security Highlight