ZLD4.64 & 5.01 Firmware release

Zyxel_Stanley Posts: 1,075  Zyxel Employee
edited July 2021 in Security

Dear Customer,

We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled. This mitigation firmware will actively guide users to follow general security best practices to reduce the attack surface. The new features include: 

  •  Initial Setup Wizard Enhancements

Helps users to enforce security policies against access to the web management interface and SSL VPN service from the Internet.

  • Security Policy Check

Shows misconfiguration of security policies through a pop-up notification, along with firmware update and change password reminder.

  • Configurable SSL VPN and WAN Access  

Separates access options on SSL VPN and WAN Access service.

  • Log Enhancement

Provides a log history when the user object has been changed.

  • GeoIP Now a Complimentary Feature

Built-in GeoIP feature to strengthen security access-which is now available free of charge for the entire firewall range. 

Find Out More            Update Now

Release Date: June 28th, 2021

Supported Models:
Firmware ZLD4.64: ZyWALL USG Series/ZyWALL 110/310/1100
Firmware ZLD5.01: ZyWALL ATP Series/USG FLEX Series/VPN Series

All Replies

  • So the actual security hole isn't fixed? 
  • mMontana
    mMontana Posts: 582  Guru Member
    edited June 2021
    Thanks Zyxel for giving the customers some tools for mitigate  risk and reduce footprint of attack.
    But my customers are asking and i have to turn the question to you.
    @Zyxel_Stanley, i am writing to you but of course there's nothing personal about that :-)

    1. Has the attack tecnique been thoroughly analyzed?
    2. Was found the way for the attackers to create users on the devices?
    3. Is this (eventual) way being originated from a vulnerability of the software, shared among versions 4.x and 5.x?
    4. Has this (again, eventual) vulnerability been found and patched?
    5. Is there any eventual ETA for deliver to customers stable and effective patch?
    6. Is there a way to assess if the firewall has been compromised?
    7. Can configuration backups on the device be considered safe or assessed as compromised?
    8. Is there a way to assess the security the device different than a full-manual reconfigure?

    I am not expert of using GeoIP feature. And as far as i can see, I not usire if I can"feed" a host group by nations/contintents outside the wizard.

    Is there a part into user manual which cover how to create rules with GeoIP objects and references?
  • kyssling
    kyssling Posts: 91  Ally Member
    Can you please answer if this patch fix security problem OR only (what i read) implement more and simple security settings for Zyxel USG ....
  • Asgatlat
    Asgatlat Posts: 70  Ally Member
    kyssling said:
    Can you please answer if this patch fix security problem OR only (what i read) implement more and simple security settings for Zyxel USG ....
  • USG_User
    USG_User Posts: 299  Master Member
    Thanks Standley & Co. for your effort. Appreciated.

    Nice, that now finally the SSLVPN login port and the WWW https Admin login port will be separated. But sad that there had to be an attack scenario first for realizing this issue.

    We are using the SecuExtender Login only and do not need the SSLVPN Login window of the USG. Further the admin access is only allowed via LAN1 subnet. Did you use the chance to add an option to completely switch off the USG login window from WAN/Internet side? This would further reduce the possible attack "surface".

    At the moment we are still at 4.62 and are not sure when we should update since the problems occur with 4.63.

  • kyssling said:
    Can you please answer if this patch fix security problem OR only (what i read) implement more and simple security settings for Zyxel USG ....
  • Tomi
    Tomi Posts: 6  Freshman Member
    Hi Guys,

    I did find successful admin login access from unknown IP to our firewall. So it seems that they have used admin account with normal password. Can anyone else seeing those and are you using SecuReporter service?
    OTADMIN Posts: 13  Freshman Member
    Is it possible to disable admin login from WAN while you are using 2FA with email verification?
    If I disable HTTPS or block WAN on "Admin service control", my 2FA doesn't work anymore. 

  • Mario
    Mario Posts: 86  Ally Member
     @Zyxel_Stanley is it safe to setup SSL VPN port to 443 and webinterface to another port?
    In this case the SSL VPN Users don't need a new address to connect.
  • USG_User
    USG_User Posts: 299  Master Member
    edited June 2021
    @Mario: We are using another port than the standard 443 for accessing the Company SSLVPN since a long time. No problem. When connecting by SecuExtender, users have to add your known IP + the new port, like e.g.: x.x.x.x:20443

Security Highlight