Security breach incident FAQ
Zyxel Employee
Q1. What are the impact model and version for this security breach incident?
Based on our investigation so far, a small subset of Zyxel security appliances is targeted. Currently we haven’t observed any direct correlation with specific firmware versions. The most effective way is to check if there is any unknown SSL VPN user account, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, has been created. If not, your device is not affected, and please follow the mitigations below as a precaution.
Q2. What are the symptoms?
The compromised deice will add new accounts to your gateway’s user configuration and add Policy/Firewall rules to allow undesired traffic into your network.
Make sure that all user accounts in the configuration are recognized and legitimate. If there are unknown user accounts, immediately remove this and any related rules.
- Unknown Admin Accounts
Created (Always). (manage, zyxel_sllvpn, sslvpn_index, zyxel_ts, etc...)
CONFIGURATION > Object> User/Group > User.
- Admin Password is different as before
- Policy / Firewall Route
creation (Sometimes)
(with the wording: "loseang" or "loosing" in the description)
CONFIGURATION > Network > Routing > Policy Route
CONFIGURATION > Security Policy > Policy Control > Policy
- other configuration
changes, i.e. (PSK of VPN Tunnel) (Rare)
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Pre-Shared key
Q3. What should I do to mitigate the risk?
Based on our investigation so far, HTTPS is the primary attack vector. We suggest to review the Firewall configuration, modify the HTTPs port setting and change the admin password. Please follow the mitigations below as a precaution.
To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release.
https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release#latest
Q4. What is included in the latest release 4.65 and 5.02 f/w?
The firmware is released on July 6th.
Here it is the detail information about this release
https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release#latest
· CVE-2021-35029
Vulnerability fix for web-based management interface of Zyxel USG/ZyWALL, USG FLEX, ATP and VPN series
· Two-Factor Authentication Enhancement
Supports configurable 2FA service port
· Security Check Enhancement
Disables HTTP port automatically while allowing WAN management in security check wizard
· Password Change Reminder
Reminds privileged accounts to change their passwords for security
· Log Enhancement
Enhances admin-type user change logs to alert level 
For newly installed devices, this FW can guide the best practice from the beginning
Here is link to our what’s New information.
http://secure.campaigner.com/csb/Public/show/d9wg-2evy1r--v7ugq-abpnmxh9
Q5. What shall I do if my device has been compromised.
The compromised device will add new accounts to your gateway’s user configuration and add Policy/Firewall rules to allow undesired traffic into your network. Here is the check item. If there are unknown user accounts/rules, immediately remove this and any related rules.
· Change all admin password.
· Compare the user accounts.
Here is the default user list.
Delete the unknown accounts.
· Remove the unknown firewall rules. Here is the default setting. By default, any to any is “deny”.
If you find the unknown rules, just choose the rule and click the “Remove” button.
After finishing the configuration checking, we strongly recommend to review the Firewall configuration, modify the HTTPs port setting and change the admin password. Please follow the mitigations below as a precaution.
To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release.
https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release#latest
Q6. If I implement 2FA function for VPN accesses, can I deny the HTTPS Web management service (port 443) on WAN interface?
Yes,
after upgrading to 5.02/4.65, users can separate the 2FA portal page with
device service page services by using different ports.
Q7. Does this patch fix security problem OR only implement more and simple security settings for Zyxel USG
Zyxel has released standard firmware v4.65/5.02 that remain the definitive solution to the issues for the affected models. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately for optimal network protection.
Q8. Am I safe after upgrade firmware to the latest release (4.65/5.02) what extra steps shall I do to protect my device?
Since the compromised deice will add new accounts and modify the configurations on your gateway to allow undesired traffic into your network, make sure that all user accounts in the configuration are recognized and legitimate.
1. We recommend to change password on all of your admin-type accounts for better protection.
2. Make sure that all user accounts in the configuration are recognized and legitimate. If there are unknown user accounts (e.g. zyxel_sllvpn, zyxel_ts, zyxel_vpn_test, manage), immediately remove this and any related rules. (Configuration > Object > User/Group)
3. Change the SSL VPN and HTTPs service port, and add firewall rules to restrict the access.
Scenario#1
If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.
a. Add IP address object(s) to trusted addresses or trusted countries.
(Configuration > Object > Address/GeoIP)
b. Allow trusted IP addresses and Deny others traffic from Internet
(Configuration > Security Policy > Policy Control)
#1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.
#2. Deny other IP addresses that you do not trust to access your WebGUI.
c. Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.
(Configuration > System > WWW)
Change HTTPS connection port. e.g 17443
After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.
Scenario#2
If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.
(Allowed services are for IPSec VPN/VRRP/GRE)
Make sure there is no HTTP/HTTPS WebGUI service port in service group.
Comments
-
Thank you for the summary of the current situation. Unfortunately, we still have no information about the origin of the problem. In my opinion, a bruteforce attack on the accounts is very unlikely, as the firewalls have a default lockout policy.
Therefore, an exploit /auth. bypass is probably more likely. In this case, however, GeoIP and HTTP port changes would not be a sustainable solution but only a workaround.
1 -
As far I can see from the logs, I can see that they came in with a normal admin password. So it seems that they have captured passwords somewhere... My guess is Cloud CNM SecuReporter....
0 -
Is Denying WAN to Zywall source = All should stop any of the attacks right? no need to really change any ports? and only allow Trusted Source IPs to Zywall should be good enough?
0 -
Hi @BobHere
It is ok to block all the traffic from WAN to Zywall and only allow trusted source IPs because the source IP address could be recognized. But it will be better if only allow the usage ports.
Joslyn0
Ally Member
Freshman Member
Categories
- All Categories
- 393 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 906 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
