Security Advisory for firewalls published 19 july

mMontana

https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml

without the damned link to wk28 file.

The way Zyxel is managing this occurrencies keep looking bad, uncomplete and unsatisfying.

USG_User

I often crosscheck the European Zyxel page. This morning only WK25 was still available. But now WK28 is offered, at least for our USG110:

https://support.zyxel.eu/hc/en-us/articles/360005438274-Weekly-Firmware-Support-Version-Lab-Version

mMontana

I already found the firmware lab page.

Which is quite not respectful for the customer (aside a missing full fledged and verified release, due to still on support devices) is that the customer itself have to look for by itself.

Moreover

5.x devices have a full fledged release, with all bells and whistles like the support to auto upgrade, which WK firmwares are not.

This tells me that "support until 31/12" for 4.x device as marketing stunt, or without policy restrains, quite a lie.

USG_User

Yes, I'm with you. These permanent WK lab versions do not create trust in the product, especially if an ordinary release will not offered shortly thereafter. It seems customers should be encouraged to change-over to a newer product (like USG Flex).

Due to the end-of-life of our USG110 we have to decide what's coming next with us. But the decision is not yet taken, since we have to replace 2 devices (another device is always for cold redundancy at our production environment). This costs a lot of money again and is not sustainable to the environment, since our USG has actually still enough performance (for us).

Will see, how we decide.

mMontana

If you can avoid public network exposure for your USG110, IMVHO replacement could be delayed.

USG_User

mMontana said:

If you can avoid public network exposure for your USG110, IMVHO replacement could be delayed.

Unfortunately not. Beside our own internet access, different of our clients are connecting to our servers for different services.

mMontana

Then be proactive. Device should be replaced during the end of december, for avoiding issues (and having a rollback device in case of problems)

Zyxel_Stanley

Hi @mMontana @USG_User

It is because ZLD4.X and ZLD5.X firmware release schedule are different.
ZLD5.X firmware for USG FLEX/ATP series release schedule was planed at Q3, so the vulnerability fix in 5.31C0 firmware directly.
ZLD4.X firmware for USG/ZyWALL series release schedule planed at Q4. So we release a patch firmware USG/ZyWALL series first. We do have formal version(ZLD4.73) in the future. Of course it will full fledged and verified before it is released.

You can download 4.72WK28 firmware from News & Release page too.

mMontana

I don't personally need the links. But if your advisory lacks to link for lab firmwares fails the goal for speedup the upgrade and the protection of your second-choice customers.

I write "second choice" because more over than not access to the same automated upgrade mechanism for ZLD 4.x devices, the customer have to look for the firmware files for allowing a safe (hoping) upgrade.

Please, don't get me wrong: I'm really glad that Zyxel publish updates when vulnerabilities are reported, but this "moral suasion" to buy sooner the newer box feels bad.