Jason
See how you've made an impact in Zyxel Community this
year!
https://bit.ly/Your2024Moments_Community
GS1920-24 - Encrypt switch-password in config backup file
Eric_
Posts: 24 Freshman Member
The configuration-backupfile of a GS1920-24 with 4.50 (AAOB.2) installed, contains the switch-password in clear text. Please encrypt the password.
0
Comments
-
Hi @Eric_,
Regarding this case, the design for the password is a clear text due to GS1920 series doesn't have a restore configuration button on the panel.
Just in case a user forgotten the password, the user still could check the backup configuration file for the password.
If the password is encrypted the only way to access the switch again is to send the device to the reseller and progress RMA process.
But for the new generation of GS1920 v2 series, we will enhance the password to be encrypted.
Because we already added a "Restore" button on the panel to restore the configuration back to default.
Thanks for supporting Zyxel!
Zyxel_Jonas
https://us.v-cdn.net/6029482/uploads/78HOOSV0BUBI/240828-nebula-27s-intentcommunity-homepage-1920-x-400.jpgDon't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Hi @Zyxel_Jonas
as the password is still in cleartext within the backup file, I am wondering when this will be fixed?
Problem is on GS1920-24Pv2 running the latest firmware.
Thanks.
0 -
Hi @alehzn
We've already put resource for it.
It's certain to have this enhancement in future release.
The schedule is now open, we will keep update.
Zyxel_Lucious
0 -
Any news on that?In that time we are living now plain passwords in backup files really should be avoided.0
-
Hi @FrankLauer,
The feature is in our road map and the release schedule is around the end of March this year.
Please stay tune with our News on Community.
Please note that there will have a new option for the user to choose encrypting the password or not, so remember to enable it and save after the Switch upgrade to the next new firmware.
0 -
Release V4.50(AAOC.3) | 05/20/2020, still contains clear-text passwords..
0 -
Hi @Nykaer,
Since the firmware version you mentioned is for GS1920v1 which is already EOL.
Therefore, as we mentioned above, this new enhancement will be applied to V4.70 patch 2 firmware for GS1920v2 series.
Thanks.
Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
Hi @Zyxel_Jason
I consider this very much a security-issue related to the software. The hardware is irrelevant, as this is something that apparently always has been broken. Doing a fork-lift upgrade of, in our case, of 30-40 switches, just isn't an option. But needless to say. When the upgrade is ordered, things like always reflect back onto Zyxel - and things like these are difficult to explain to the customer.0 -
Hi @Nykaer,We fully-acknowledged that user credentials should be treated in a more secured fashion and the clear-text design in GS1920v1 do imposes some security concern. To better protect customer network, we also recommend that “Remote Management” can be setup to let network admin control only the approved IP address can be allowed to access the Switch. This would create additional layer of protection for the Switch.As to the support of password encryption on the GS1920v1, it might on the other hand creates additional support effort. As the Switch does not have recovery mechanism when password is lost, the only route is to send it back to RMA process which may result days of operation lost. Knowing this, we have further improved our Switch design in GS1920v2 series with additional “restore” button to recover the cases if an encrypted password is lost.Zyxel continues to refine our products with the intention to grow with our customer. We apologize for the inconveniences on the GS1920v1 series and hope that by setting up additional “Remote Management", it would help strengthen the network security in such cases.Thanks.Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight