SSL VPN vulnerability of June 24th, 2021
The 2FA is applied per user in the devices.
I cannot see these hidden accounts that are being used to gain access, so cannot turn on 2FA for those accounts.
Only solution is to shut off SSL VPN until there is a firmware fix or other solution?
I'd love to know I'm wrong here. Am I?
All Replies
-
You can upgrade firmware to 4.64 version which support to separates WebGUI(HTTPS) and SSL VPN server port.
(Configuration > VPN > SSL VPN > Global Setting)
You can change SSL VPN Server port to others.(default is 443)Of cause you have to allow SSL VPN service port from WAN side in policy control rule.
And you still could block HTTPS from WAN for better protection.
(Configuration > Security Policy > Policy Control)
After changing SSL VPN service port, the login portal still accessible, but it doesn’t allow non-SSL VPN user to login.If user would like to build SSL VPN tunnel, then user have to enter correct service port in SecuExtender.
If your device already exist unsafe configuration, you can make sure if there is any unknown user in your configuration.
If yes, you should remove the account and related rules to protect your network. (Configuration > Object > Users/Group)
The screenshot is user list in 4.64 default configuration.
0 -
Hi @ChipConnJohn
Based on our investigation so far, HTTPS is the primary attack vector, and once the attempt is successful, it results in symptoms such as unknown user accounts being created. We haven’t observed any direct correlation between this attack and the previous hardcoded account vulnerability.
0 -
Hi
But the question is: Use the attackers a security breach in the http/s portal or use the attackers bad passwords to login to the firewall?
Thanks!0 -
"Strong" is a big word.Never less than 8 characters, mixed maiuscole, minuscole, numbers, no special chars (sometimes USGs do not take them that well). More recent ones are 14 charachters, same pattern, no dictionary words.SSL VPN is not available to users, L2TP is mostly used (due to availability on all OSes without install packages or buy licenses), IpSec with GreenBow is the second option.0
-
Thanks for sharing. Was the "User Lockout Settings" enabled?If yes, I don't think this was bruteforce to get access.0
-
Into "User Lockout Settings", "logon retry limit" is enabled. AFAIK this is default for devices, and i never disable that.5
-
Any news about that? Is there a security breach or not?
I cannot only install a new firmware without the information what happend!
Please zyxel give this information asap!
Thanks!0 -
Hi @bind
we are sitll investigate the issue and will release patch as soon as we can to address this incident. You may follow mitigation SOP to protect your private network until firmware is ready.0 -
For my part, I haven’t been able to make sense of the vulnerability given what Zyxel is telling us. I have locked down WAN->Device allowing only IPs I specify to access. It hasn’t been too bad. I sent an email last week apologizing and directing users to a site that gives their wan ip and they email or text it to me and I add it to the device.1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight