Zyxel security advisory for hardcoded credential vulnerability

Zyxel_Stanley
Zyxel_Stanley Posts: 1,379  Zyxel Employee
100 Answers 1000 Comments Friend Collector Seventh Anniversary
edited January 2021 in Security Advisories

Zyxel security advisory for hardcoded credential vulnerability

CVE: CVE-2020-29583

Summary

Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from EYE Netherlands. Users are advised to install the applicable firmware updates for optimal protection.

What is the vulnerability?

A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP. 

What versions are vulnerable—and what should you do? 

After a thorough investigation, we’ve identified the vulnerable products and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates. For those not listed, they are not affected. Contact your local Zyxel support team if you require further assistance or reference to this link on how to mitigate the risk. 


Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.

Acknowledgment

Thanks to Niels Teusink at EYE for reporting the issue to us.

Revision history

2020-12-23: Initial release

2020-12-24: Updated the acknowledgement section

2021-1-4: Updated the patch schedule for AP controllers

Comments

  • inchica
    inchica Posts: 10  Freshman Member
    First Comment Friend Collector First Anniversary
    Is the Zywall 110 affected?  Autoupdate is not showing any available updates. 
  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2021
    Is the Zywall 110 affected?

    You can update the Zywall 110 to V4.60 patch 1 

    https://portal.myzyxel.com/my/firmwares

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @inchica

    ZyWALL and USG series are based on the same platform.

    If your firmware is in 4.60C0, you may upgrade to 4.60Wk48 or 4.60P1 which patched this vulnerability. 

    ZyWALL Series models: ZyWALL110/ ZyWALL310/ ZyWALL1100

  • Zyxel_Dick
    Zyxel_Dick Posts: 21  Zyxel Employee
    First Comment Friend Collector Seventh Anniversary
    edited January 2021

    What should I do if I can’t upgrade the firmware in a short time?

    1.    If it is not absolutely necessary to manage devices from the WAN side, please disable the FTP/TELNET/SSH/WWW/SNMPv3 service from WAN. These services are disabled by default, so you won’t have to do so unless you have enabled it in the past.

    2.    If you still need to manage devices from the WAN side, please enable Policy Control and add rules to only allow access from trusted source IP addresses.

    3.    We also recommend users to enable Policy Control on the LAN side and add rules to only allow trusted IP addresses for better protection.