If I can’t upgrade my firmware temporarily, what else I can do to avoid this vulnerability?

Zyxel_Dick
Zyxel_Dick Posts: 21  Zyxel Employee
First Comment Friend Collector Seventh Anniversary
edited June 2022 in Other Topics

1.    If you don’t need to deliver automatic firmware upgrade for APs through FTP, please disable the FTP service on the controller. The AP controllers use the CAPWAP protocol as the default design to deliver such updates.

Step 1. Go to CONFIGURATION > Wireless > AP Management > AP Policy > Firmware Updating. Choose the "Updating Method" as "CAPWAP", and click "Apply".


Step 2. Go to CONFIGURATION > System > FTP. Un-check the "Enable", and click "Apply" to disable FTP service.



2.    If it is still necessary to enable FTP service, please enable the Service Control or Firewall features for better protection.

Method 1. Restrict the FTP service authority via FTP service control

Step 1. Add the address objects for APs and users who needs to login NXC via FTP service. Go to CONFIGURATION > Object > Address > Address. Click "Add", and add the address rule for APs and users.



Note. the address type can be a host, a range or a subnet.


Step 2. Go to CONFIGURATION > Object > Address > Address Group. Click "Add", and choose the AP address object and User address object.


Step 3. Go to CONFIGURATION > System > FTP. Add a service control rule for all as "Deny".


Step 4. Go to CONFIGURATION > System > FTP. Add a service control rule for FTP_service as "Accept".


Step 5. Ensure the Accept rule priority is higher than Deny rule. If it is not, use "Move" to change the priority higher.



Method 2. Restrict the FTP service authority via Firewall

Step 1. Add the address objects for APs and users who needs to login NXC via FTP service. Go to CONFIGURATION > Object > Address > Address. Click "Add", and add the address rule for APs and users.



Note. the address type can be a host, a range or a subnet.


Step 2. Go to CONFIGURATION > Object > Address > Address Group. Click "Add", and choose the AP address object and User address object.


Step 3. Go to CONFIGURATION > Firewall > Firewall. Add a firewall rule: from any to NXC with FTP service as deny.


Step 4. Go to CONFIGURATION > Firewall > Firewall. Add a firewall rule:  from any to NXC with FTP_service address object as allow for the APs and users.


Step 5. Ensure the Accept rule priority is higher than Deny rule. If it is not, use "Move" to change the higher priority.


Tagged: