Security Incident Alert question

2

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 282  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Mario @kyssling
    Based on our investigation so far, we believe maintaining a robust security policy for remote access is currently known the most effective way to defend against the threat. adding 2FA on top of this shall have extra help .
  • So can we assume that an authenticated user is able to manipulate the device to run administrative commands.  Or are they able to bypass authentication entirely meaning 2fa is a good to have but useless against this attack.

    I can understand why you are skating around the issue, but should we assume the worst.  e.g If you cannot limit access to the web page\ssl then turn it off.
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    FYI: disabling HTTPS access from WAN into 1 of the devices i manage the "unwanted user" did not re-appear during last 24h. Which is not enough, but better than nothing.
  • Zyxel_Vic
    Zyxel_Vic Posts: 282  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Daveishere
    Thanks for asking. Adding 2FA shall have extra help. If you'd like to keep the ssl vpn connection, you may change the accessing port instead of using the standard one. Here it is the configuration example for your reference.
    In addition, it is not suggested to put your WAN access into public directly. If you'd like to access and manage via WAN connection, it would be better to go through VPN as well. 
  • Zyxel_Vic said:
    Hi @Daveishere
    Thanks for asking. Adding 2FA shall have extra help. If you'd like to keep the ssl vpn connection, you may change the accessing port instead of using the standard one. Here it is the configuration example for your reference.
    In addition, it is not suggested to put your WAN access into public directly. If you'd like to access and manage via WAN connection, it would be better to go through VPN as well. 

    @Zyxel_Vic

    I'd like to know as well if an authenticated user is able to run administrative commands or whether the infiltrators are able to bypass the authentication entirely.  In terms of the security impact this is a major difference.  Does Zyxel have already any insights on this?  Your communication strategy has been very confusing.  On one side it's great that you've communicated this issue swiftly but for the past few days Zyxel seems to dodge critical questions and leave their customers in the dark...
  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    Just a note on VPN 2FA and disabling WAN HTTPS... You now cannot access remotely if you do such a thing.

  • Just a note on VPN 2FA and disabling WAN HTTPS... You now cannot access remotely if you do such a thing.

    Exactly, I have entire offices working from home through SSLVPN so I can't just disable it.  It is crucial that Zyxel communicates clearly the current status. 
  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
    Looks like hardcoded accounts in the devices.  2FA isn't going to help as we can't enable it for those users.
    There is the ability to lock it down by IP address, but that's a lot of IPs to Allow and they may change if the user reboots their cable modem.
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    @ChipConnJohn your idea is plausible, but in any case currently nothing has been disclosed.
    https://community.zyxel.com/en/discussion/5318/zyxel-security-advisory-for-hardcoded-credential-vulnerability
    Hardcoded credentials were already patched at December 2020, i hope that this is not the case, due this previous and time-close episode.

    @Sconsulting L2TP could not be a viable (and temporary) option?
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    I'm not pleased to have see nothing more from Zyxel (or from representatives).
    Security devices and felons are on the line 24/7, and this kind of weakness into a device which enable remote connectivity, should put on the line 24/7 the best efforts in research, test, and customer care.

Security Highlight