ZLD4.64 & 5.01 Firmware release
All Replies
-
Hi @kyssling, @Sconsulting, @Asgatlat
This is the mitigation firmware which we believe that the implemented method will be able to provide the best practice to protect your network.
Hi @OTADMIN
If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. However, it is still suggested to upgrade 4.64 (or 5.01) with GeoIP implementation which can limit the authorized people from the specified regions. In addition, it will be a good general practice in security if the passwords can be changed periodically as well1 -
@USG_User thanks for the feedback. I know this is possible, but all users need to change this.During homeoffice, this generates a lot of trouble till all user connect to the new port. And somtimes other prots then 80/443 are blocked. Cause Zyxel suggest only to seperate HTTPS and SSL VPN, but don't make a recomendation about the ports.0
-
Guide if it doesn't already should include changing of admin account passwords. We are seeing devices with new user objects (random names none of the test accounts) and then the same IP using the default admin account.0
-
Zyxel_Vic said:.......If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. ....
.......
0 -
mMontana said:Thanks Zyxel for giving the customers some tools for mitigate risk and reduce footprint of attack.But my customers are asking and i have to turn the question to you.@Zyxel_Stanley, i am writing to you but of course there's nothing personal about that :-)
- Has the attack tecnique been thoroughly analyzed?
- Was found the way for the attackers to create users on the devices?
- Is this (eventual) way being originated from a vulnerability of the software, shared among versions 4.x and 5.x?
- Has this (again, eventual) vulnerability been found and patched?
- Is there any eventual ETA for deliver to customers stable and effective patch?
- Is there a way to assess if the firewall has been compromised?
- Can configuration backups on the device be considered safe or assessed as compromised?
- Is there a way to assess the security the device different than a full-manual reconfigure?
I am not expert of using GeoIP feature. And as far as i can see, I not usire if I can"feed" a host group by nations/contintents outside the wizard.Is there a part into user manual which cover how to create rules with GeoIP objects and references?I did not forgot my questions. I am aware that might take some time to have answers.Still a Security Advisory not released. But I won't stop reminding that it will be due to customers, when all the pieces will be put together.0 - Has the attack tecnique been thoroughly analyzed?
-
EricNepean2 said:Zyxel_Vic said:.......If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. ....
.......0 -
I'm still waiting Zyxel like a Romeo waits his Juliet... My Wishing Well contains a wish for a patched (not mitigated) firmware...0
-
According to Zyxel support:
"The firmware you downloaded currently offers license-free GeoIP feature to mitigate the damage as much as possible. However patch that would fix this vulnerability is expected to arrive during next week."
So, stay strong till next week!0 -
EricNepean2 said:Zyxel_Vic said:.......If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. ....
.......0 -
I'm not pleased for not see any status update of the (eventual) vulnerability and the (eventual) firmware upgrade for solving "once for all" the issue encountered about security incident.GeoIP and HTTPS port split among admin interface and SSL VPN are a really useful tools, but they are not the solution, only mitigation.My users are asking updates, about how and when their devices well become safer.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight