GS1920-24 - Encrypt switch-password in config backup file

Eric_
Eric_ Posts: 24
First Comment Friend Collector Fourth Anniversary
 Freshman Member
edited August 26 in Switch Ideas
The configuration-backupfile of a GS1920-24 with 4.50 (AAOB.2) installed, contains the switch-password in clear text. Please encrypt the password.

0
0 votes

Completed · Last Updated

Implement on 4.70 patch 2 firmware

Comments

  • JonasTan
    JonasTan Posts: 65
    5 Answers First Comment Friend Collector Fourth Anniversary
     Zyxel Employee
    Hi @Eric_,

    Regarding this case, the design for the password is a clear text due to GS1920 series doesn't have a restore configuration button on the panel.
    Just in case a user forgotten the password, the user still could check the backup configuration file for the password.
    If the password is encrypted the only way to access the switch again is to send the device to the reseller and progress RMA process.

    But for the new generation of GS1920 v2 series, we will enhance the password to be encrypted.
    Because we already added a "Restore" button on the panel to restore the configuration back to default.

    Thanks for supporting Zyxel!
    Jonas
  • alehzn
    alehzn Posts: 36
    First Comment Friend Collector Fourth Anniversary
     Freshman Member

    Hi @Zyxel_Jonas

    as the password is still in cleartext within the backup file, I am wondering when this will be fixed?

    Problem is on GS1920-24Pv2 running the latest firmware.

    Thanks.

  • Zyxel小編 Lucious
    Zyxel小編 Lucious Posts: 279
    25 Answers First Comment Friend Collector Third Anniversary
     Zyxel Employee

    Hi @alehzn


    We've already put resource for it.

    It's certain to have this enhancement in future release.

    The schedule is now open, we will keep update.


    Zyxel_Lucious

  • FrankLauer
    FrankLauer Posts: 39
    First Answer First Comment Friend Collector Second Anniversary
     Freshman Member
    Any news on that?

    In that time we are living now plain passwords in backup files really should be avoided.
  • Zyxel_Jason
    Zyxel_Jason Posts: 374
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    Hi @FrankLauer,

    The feature is in our road map and the release schedule is around the end of March this year.
    Please stay tune with our News on Community.  B)

    Please note that there will have a new option for the user to choose encrypting the password or not, so remember to enable it and save after the Switch upgrade to the next new firmware.

    Jason
  • Nykaer
    Nykaer Posts: 2
    Friend Collector
    Release V4.50(AAOC.3) | 05/20/2020, still contains clear-text passwords..  
  • Zyxel_Jason
    Zyxel_Jason Posts: 374
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    edited April 2021
    Hi @Nykaer,

    Since the firmware version you mentioned is for GS1920v1 which is already EOL.
    Therefore, as we mentioned above, this new enhancement will be applied to V4.70 patch 2 firmware for GS1920v2 series.

    Thanks.
    Jason
  • Nykaer
    Nykaer Posts: 2
    Friend Collector
    Hi @Zyxel_Jason

    I consider this very much a security-issue related to the software.   The hardware is irrelevant, as this is something that apparently always has been broken.  Doing a fork-lift upgrade of, in our case, of 30-40 switches, just isn't an option.   But needless to say.  When the upgrade is ordered, things like always reflect back onto Zyxel - and things like these are difficult to explain to the customer.
  • Zyxel_Jason
    Zyxel_Jason Posts: 374
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    Hi @Nykaer,

    We fully-acknowledged that user credentials should be treated in a more secured fashion and the clear-text design in GS1920v1 do imposes some security concern. To better protect customer network, we also recommend that “Remote Management” can be setup to let network admin control only the approved IP address can be allowed to access the Switch. This would create additional layer of protection for the Switch.

    As to the support of password encryption on the GS1920v1, it might on the other hand creates additional support effort. As the Switch does not have recovery mechanism when password is lost,  the only route is to send it back to RMA process which may result days of operation lost. Knowing this, we have further improved our Switch design in GS1920v2 series with additional “restore” button to recover the cases if an encrypted password is lost. 

    Zyxel continues to refine our products with the intention to grow with our customer. We apologize for the inconveniences on the GS1920v1 series and hope that by setting up additional “Remote Management", it would help strengthen the network security in such cases.

    Thanks.
    Jason