firmware automatically upgraded even if auto update is disabled

stefano_tonazzi

Hi,

yesterday we have found the firmware on two of our usg60 FW updated to  version V4.72(AAKY.0) / 2022-04-28 23:20:15, even if auto update feature is not enabled.

This lead to a misconfiguration of our vpn setup ( the port of the

Authorize Link URL Address was modified ).

Does anyone have an explanation for this?

Regards

Stefano

mMontana

Can you verify when the firmware was updated? A hint could come from the config files, which are updated after the firmware image is deployed into standby partition.

This information could lead to identify if someone may have updated it manually.

stefano_tonazzi

Yes, we have checked that, and we are able to verify that it was modified 6 days ago.

But we are 100% sure that nobody did it manually.

We found out just now that even a third USG was updated.

mMontana

Worth asking...
According to Zyxel, 4.72 was a security release, for address a CVE vulnerability (more of that).
https://community.zyxel.com/en/discussion/13501/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps
This is my setting for not-auto-upgrade firmware on USG40, AFAIK should be the same for your USG60W.

Your USG60W set of devices have auto-reboot enabled? 6 days seems shorter than a week...

Question goes to Zyxel representatives: is there any policy for enforcing updates on devices from no-Nebula enabled devices?

stefano_tonazzi

Hi and thanks for your responses. This is the firmware update configuration from one of the USG60.
As you can see both Auto Update and Auto Reboot are unchecked, so  I would assume that only manual upgrades are possible.
Despite that, we found 3 of 4 devices updated, and i am 100% sure nobody did it manually ( one by mistake could happen, but 3 of 4 ? )

mMontana

stefano_tonazzi said:

Despite that, we found 3 of 4 devices updated, and i am 100% sure nobody did it manually (one by mistake could happen, but 3 of 4?)

I was the one that forced earlier updates into an infrastructure. After few "unexpected/untasked/unscheduled" upgrade some digging started, and I've been quite honest saying "hey, I did it".

One manager went ballistic, the other one thanked me and explaining why some tasks were scheduled, even with security updates recently released, telling me to wait until task was assigned to me.

I cannot tell that if you might have someone like the older me, eager to avoid security breaches. Maybe there's, maybe not, but worth asking.

Still hoping that into italian evening/night some representative could share the status. Recently QNAP pushed a firmware upgrade for a vulnerability. Hope Zyxel didn't do the same thing.

Zyxel_Cooldia

Hi @stefano_tonazzi,
Just in case, please check if there is any abnormal admin account created on those devices? 

stefano_tonazzi

Hi,

no. There are no abnormal admin account created on the devices.