Security Incident Alert question
All Replies
-
So can we assume that an authenticated user is able to manipulate the device to run administrative commands. Or are they able to bypass authentication entirely meaning 2fa is a good to have but useless against this attack.
I can understand why you are skating around the issue, but should we assume the worst. e.g If you cannot limit access to the web page\ssl then turn it off.
0 -
FYI: disabling HTTPS access from WAN into 1 of the devices i manage the "unwanted user" did not re-appear during last 24h. Which is not enough, but better than nothing.0
-
Hi @Daveishere
Thanks for asking. Adding 2FA shall have extra help. If you'd like to keep the ssl vpn connection, you may change the accessing port instead of using the standard one. Here it is the configuration example for your reference.
In addition, it is not suggested to put your WAN access into public directly. If you'd like to access and manage via WAN connection, it would be better to go through VPN as well.0 -
Zyxel_Vic said:Hi @Daveishere
Thanks for asking. Adding 2FA shall have extra help. If you'd like to keep the ssl vpn connection, you may change the accessing port instead of using the standard one. Here it is the configuration example for your reference.
In addition, it is not suggested to put your WAN access into public directly. If you'd like to access and manage via WAN connection, it would be better to go through VPN as well.
@Zyxel_Vic
I'd like to know as well if an authenticated user is able to run administrative commands or whether the infiltrators are able to bypass the authentication entirely. In terms of the security impact this is a major difference. Does Zyxel have already any insights on this? Your communication strategy has been very confusing. On one side it's great that you've communicated this issue swiftly but for the past few days Zyxel seems to dodge critical questions and leave their customers in the dark...0 -
Just a note on VPN 2FA and disabling WAN HTTPS... You now cannot access remotely if you do such a thing.
0 -
MikeForshock said:Just a note on VPN 2FA and disabling WAN HTTPS... You now cannot access remotely if you do such a thing.0
-
Looks like hardcoded accounts in the devices. 2FA isn't going to help as we can't enable it for those users.
There is the ability to lock it down by IP address, but that's a lot of IPs to Allow and they may change if the user reboots their cable modem.
1 -
@ChipConnJohn your idea is plausible, but in any case currently nothing has been disclosed.
https://community.zyxel.com/en/discussion/5318/zyxel-security-advisory-for-hardcoded-credential-vulnerability
Hardcoded credentials were already patched at December 2020, i hope that this is not the case, due this previous and time-close episode.
@Sconsulting L2TP could not be a viable (and temporary) option?0 -
I'm not pleased to have see nothing more from Zyxel (or from representatives).Security devices and felons are on the line 24/7, and this kind of weakness into a device which enable remote connectivity, should put on the line 24/7 the best efforts in research, test, and customer care.1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight