GS1920-24 - Encrypt switch-password in config backup file

Eric_

The configuration-backupfile of a GS1920-24 with 4.50 (AAOB.2) installed, contains the switch-password in clear text. Please encrypt the password.

Zyxel_JonasTan

Hi @Eric_,

Regarding this case, the design for the password is a clear text due to GS1920 series doesn't have a restore configuration button on the panel.
Just in case a user forgotten the password, the user still could check the backup configuration file for the password.
If the password is encrypted the only way to access the switch again is to send the device to the reseller and progress RMA process.

But for the new generation of GS1920 v2 series, we will enhance the password to be encrypted.
Because we already added a "Restore" button on the panel to restore the configuration back to default.

Thanks for supporting Zyxel!

alehzn

Hi @Zyxel_Jonas

as the password is still in cleartext within the backup file, I am wondering when this will be fixed?

Problem is on GS1920-24Pv2 running the latest firmware.

Thanks.

Zyxel小編 Lucious

Hi @alehzn

We've already put resource for it.

It's certain to have this enhancement in future release.

The schedule is now open, we will keep update.

Zyxel_Lucious

FrankLauer

Any news on that?

In that time we are living now plain passwords in backup files really should be avoided.

Zyxel_Jason

Hi @FrankLauer,

The feature is in our road map and the release schedule is around the end of March this year.
Please stay tune with our News on Community. 

Please note that there will have a new option for the user to choose encrypting the password or not, so remember to enable it and save after the Switch upgrade to the next new firmware.

Nykaer

Release V4.50(AAOC.3) | 05/20/2020, still contains clear-text passwords..  

Zyxel_Jason

Hi @Nykaer,

Since the firmware version you mentioned is for GS1920v1 which is already EOL.
Therefore, as we mentioned above, this new enhancement will be applied to V4.70 patch 2 firmware for GS1920v2 series.

Thanks.

Nykaer

Hi @Zyxel_Jason

I consider this very much a security-issue related to the software.   The hardware is irrelevant, as this is something that apparently always has been broken.  Doing a fork-lift upgrade of, in our case, of 30-40 switches, just isn't an option.   But needless to say.  When the upgrade is ordered, things like always reflect back onto Zyxel - and things like these are difficult to explain to the customer.

Zyxel_Jason

Hi @Nykaer,

We fully-acknowledged that user credentials should be treated in a more secured fashion and the clear-text design in GS1920v1 do imposes some security concern. To better protect customer network, we also recommend that “Remote Management” can be setup to let network admin control only the approved IP address can be allowed to access the Switch. This would create additional layer of protection for the Switch.

As to the support of password encryption on the GS1920v1, it might on the other hand creates additional support effort. As the Switch does not have recovery mechanism when password is lost,  the only route is to send it back to RMA process which may result days of operation lost. Knowing this, we have further improved our Switch design in GS1920v2 series with additional “restore” button to recover the cases if an encrypted password is lost. 

Zyxel continues to refine our products with the intention to grow with our customer. We apologize for the inconveniences on the GS1920v1 series and hope that by setting up additional “Remote Management", it would help strengthen the network security in such cases.

Thanks.