Hacked VPN100

mMontana

https://community.zyxel.com/en/discussion/comment/69865#Comment_69865

@WebWorks thanks for sharing.

AFAIK VPNxxx devices have a more updated firmware version, which should be 5.37 Patch 2 WK31, latest lab firmware.
I'm not aware if this weekly firmware could help or not the other devices.

I'd ask Zyxel to consider a checkup on ZLD 4.x firmwares, if possible.

TGriff

This appears to be a global thing then. The devices I have that were compromised are located in the Southern USA. With the same User name and Policy name that was shared by WebWorks.

I will have to do an inspection of our other Zyxel devices that were on the most recent firmware, V5.39. But so far the 2 compromised devices I have ( Flex 500 and ATP200 ) were on V5.38.

@WebWorks there are MANY botnets that just crawl the internet gathering information. A quick query on Shodan instantly gives ~30,000 Zyxel USG FLEX devices around the world. I don't believe Shodan shows the firmware version, but there are typically ways to find that information out without having access to the device.

mMontana

For anyone willing to share: compromised installation had public ip address on WAN interface or was a natted address?

WebWorks

All these devices have a public IP, DNS-Name like xxxxx.customer.com and a changed https port. But Access open (now closed).

I had these Problems with VPN 100, Firmware V5.37(ABFV.2)
Other User mentioned Problems with other Devices on Firmware V5.38
I checked other devices, Flex 200 and 500 on Firmware V5.39, There where no problems.

So I guess this bug seams to be fixed in V5.39, but for the old VPN100 there is no update provided …….

jonatan

https://community.zyxel.com/en/discussion/comment/69866#Comment_69866

@WebWorks

The life cycle of the VPN series was completed back in september 2023. There may be uncorrected vulnerabilities in it. The solution is to switch to the current series of gateways., I think this will be the answer. They can't support them "forever."Perhaps they will take pity and release a fix, or maybe not.

Yes Flex H does not support l2tp as an outdated solution. Come to IKEv2, openvpn. VOIP ALG is promised in 2025...

Zyxel is not suitable for performance and capabilities, switch to Mikrotik.😉

mMontana

I'm sorry, @Zyxel_Melen …

How this thread has been declared "Q&A Solved"? What should "Q&A Solved" mean?

Currently there's no answer from the OP about the cause, or a statement from Zyxel about what could deliver this kind of issue, and if any of the firmware releases/products could be impacted from this kind of issue (allegedly).

Please, kindly remove the tag.

Zyxel_Melen

Hi All,

We assume this issue is similar to CVE-2024-42057. This CVE is fixed in ZLD 5.39. Please reference the link below for more information:

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

For USG FLEX/ATP users, please upgrade your firewall to firmware version V5.39 asap.

For VPN users, since the VPN series has been EOL, we recommend you consider migrating your firewall to the USG FLEX / USG FLEX H series.

Zyxel_Melen

Hi @mMontana,

Thanks for asking about the tag. Actually, it is "Q&A Answered" but not "Q&A Solved". This tag means this question has someone answered/replied. If the answer is correct, the user can click the "Yes" button to accept this answer.

Therefore, the tag of this post will be changed to "Q&A Accepted". This tag means this question has a real answer.

I will create a forum post to explain this behavior soon. I appreciate your reminder.

mMontana

FWIW: too many or too repeted tags = all topics tagged = a lot of clutter and hard to pinpoint what the topic is doing; this is exacerbated by the right column eating up space wit "not so much high" resolutions (1280). Also padding outside and inside the textbox eat up text space, which currently is less than 66%.

Add this with the ads into the Zyxel representative signatures… the "information estate" is lesser and lesser. If i'd want ads i could go on MSN pages… not a technical community.

At any other unfortunate community members: how's going the fixup run? Are you in the condition (and/or will) to share something new and more specific about the vulnerability?

Zyxel_Melen

Hi @mMontana,

Thanks for your suggestion. I will discuss with my team if we can adjust this display.