firmware automatically upgraded even if auto update is disabled

stefano_tonazzi
stefano_tonazzi Posts: 4
edited June 2022 in Security
Hi,
yesterday we have found the firmware on two of our usg60 FW updated to  version V4.72(AAKY.0) / 2022-04-28 23:20:15, even if auto update feature is not enabled.
This lead to a misconfiguration of our vpn setup ( the port of the
Authorize Link URL Address was modified ).
Does anyone have an explanation for this?

Regards
Stefano


All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Can you verify when the firmware was updated? A hint could come from the config files, which are updated after the firmware image is deployed into standby partition.

    This information could lead to identify if someone may have updated it manually.
  • Yes, we have checked that, and we are able to verify that it was modified 6 days ago.
    But we are 100% sure that nobody did it manually.
    We found out just now that even a third USG was updated.
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Worth asking...
    According to Zyxel, 4.72 was a security release, for address a CVE vulnerability (more of that).
    https://community.zyxel.com/en/discussion/13501/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps
    This is my setting for not-auto-upgrade firmware on USG40, AFAIK should be the same for your USG60W.

    Your USG60W set of devices have auto-reboot enabled? 6 days seems shorter than a week...

    Question goes to Zyxel representatives: is there any policy for enforcing updates on devices from no-Nebula enabled devices?


  • Hi and thanks for your responses. This is the firmware update configuration from one of the USG60.
    As you can see both Auto Update and Auto Reboot are unchecked, so  I would assume that only manual upgrades are possible.
    Despite that, we found 3 of 4 devices updated, and i am 100% sure nobody did it manually ( one by mistake could happen, but 3 of 4 ? )

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2022
    Despite that, we found 3 of 4 devices updated, and i am 100% sure nobody did it manually (one by mistake could happen, but 3 of 4?)
    I was the one that forced earlier updates into an infrastructure. After few "unexpected/untasked/unscheduled" upgrade some digging started, and I've been quite honest saying "hey, I did it".
    One manager went ballistic, the other one thanked me and explaining why some tasks were scheduled, even with security updates recently released, telling me to wait until task was assigned to me.
    I cannot tell that if you might have someone like the older me, eager to avoid security breaches. Maybe there's, maybe not, but worth asking.

    Still hoping that into italian evening/night some representative could share the status. Recently QNAP pushed a firmware upgrade for a vulnerability. Hope Zyxel didn't do the same thing.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2022
    Hi @stefano_tonazzi,
    Just in case, please check if there is any abnormal admin account created on those devices? 
  • Hi,
    no. There are no abnormal admin account created on the devices.


Security Highlight