Security Incident Alert question
Martin_Kuchar
Posts: 38 
Freshman Member
Freshman Member
in Security
As is written in last Security Incident Alert email, we should restrict WAN to Zywall access to trusted IP addresses. If we do it, we will also kill all Secuextender VPN connections from not defined IP addresses?
0
All Replies
-
AFAIK yes. Consider L2TP as a possible temporary replacement.
0 -
HiAt ATP with firmware 5.0 you have the optioin to change the SSL VPN Port.
But since Zyxel dosn't provide information about the problem, we don't know if this helps...Suggest to disable VPN during Covid is also not a smart plan...
0 -
BTW, the security problem affects the ZLD firmware. What exactly is "ZLD" firmware?0
-
AFAIK firmware since 4.xx
0 -
thanks Mario and mMontana, but where the hell is Support Staff?? We need to know (not hope) if at least 2FA will safe us from the security problem! We cannot shut down VPN. And where is new, repaired firmware? Do Zyxel sleep? I am sure, my next router will be something with opensource firmware..0
-
@Martin_Kuchar I am no part of Zyxel and i do not endorse current behavior, but i would like to remind some... things.
- the head tech of Zyxel is in Taiwan, and if you don't know which is the "country" situation of Taiwan i suggest to take a ride on news to get a bigger picture of the situation.
My timezone is -7 compared to Taiwan. IMVHO someone is still sleeping now. In the human way, not mocking them.
Also, among Zyxel partners and offices, I don't know who's entitled to answer to questions without express authorization. - Before any declaration, info must be accurate, verified. Currently the declaration is "close the doors". I also would like to know more about the issue, the way to solve it, but as far as I don't like to not know enough, i prefer it to "too many communications, sometimes contradictory".
- As stated in other places about other things (spectre-meltdown) i prefer a good solution (efficient, effective, stable, verified) instead of a quick and not so nice solution, maybe with bigger holes than the ones it's trying to close. Qualcomm issues with DSP few months ago should be a nice example.
Also, FragAttack is taking tools for development (people, organization, testing, CPU power), the list of the involved devices is quite long.
Am I happy? No. My "security" device is not perfect.Am I glad about not having the same features at this morning? No.Am I glad of this problem Zyxel "delivered" to my devices? No. (Also, i would love to have OpenVPN unmodifed client for SSLVPN).I received some useful info, i found issues, i complied to reduce footprint. If you (or who can take decisions into your company) is ready to take consequences for not reducing the footprint... it's your choice.0 - the head tech of Zyxel is in Taiwan, and if you don't know which is the "country" situation of Taiwan i suggest to take a ride on news to get a bigger picture of the situation.
-
Hi @Martin_KucharWe apologized for the inconvinence caused, based on our investigation so far, a small subset of Zyxel security appliances is targeted. Enabel 2FA will definately help secure the network. Also, you may follow the mitigation SOP to configure limited remote access while SSL VPN is needed.
How to mitigate the threat by limiting the access sources — Zyxel Community
We are also working on a mitigation firmware with further countermeasures to mitigate the threat. Will keep everyone posted.
0 -
hi all,
i'm really confused with this situation, when you go to the Zyxel's article in their mail :
https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=018137&lang=EN
it is saying FW4.62P2
so if we have 4.63 we are safe from this situation ?
0 -
@Zyxel_Vic you wirte: Enabel 2FA will definately help secure the networki agree, that 2FA is alway a good choice, but does it help in the current situation? according the mail, it's a bypass oft the auth, then a creation of a new user - this one dosn't have 2FA enabled...can 2FA avoid this?
1 -
Yes this is important Question : does it help in the current situation 2FA or not ?
I dont want hurry implement 2FA, training office user "you must login SecuExtender, you must login your email for code, you must now login to web and paste code to browser" - please add 2FA to SecuExtender client ...0
Guru Member
Ally Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
