Security Incident Alert question

13»

All Replies

  • Agor76
    Agor76 Posts: 39  Freshman Member
    First Anniversary 10 Comments Friend Collector
    mMontana said:
    I'm not pleased to have see nothing more from Zyxel (or from representatives).
    Security devices and felons are on the line 24/7, and this kind of weakness into a device which enable remote connectivity, should put on the line 24/7 the best efforts in research, test, and customer care.
    Exactly, security devices are meant to protect us from malicious behaviors, but what we got here is that they're acting as the main vector for a possible breach. No device is immune from vulnerabilties today, but again, we're talking about firewalls, they're not something that you could simply shutdown. Critical threats should be fixed immediatly!!!!
    I'm start to thinking to move away from Zyxel, silence is unacceptable for a company who makes security devices these days.
    By the way, thank you mMontana for sharing advices, at least we have our community.

    Agor
  • Mario
    Mario Posts: 104  Ally Member
    First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
    New Firmware for ATP is out. According to release note:
    [...]
    [ENHANCEMENT] To strengthen security access under Covid19 pandemic,
    given GeoIP feature by default on all devices.

    Thanks for this Zyxel!! Sti

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    As far as i can see, also 4.64 is out for "older devices".
    From the Changelog

    Modifications in V4.64(AALA.0)C0 -2021/06/26
    1. [ENHANCEMENT] The new Initial Setup Wizard will facilitate user to enforce security policies against access to the web management interface and SSL VPN service (from the Internet).
    2.[ENHANCEMENT] Add Security Policy Check to spot out misconfiguration of security policies via pop-up window.3.[ENHANCEMENT] Add configuration change log of user object.
    4.[ENHANCEMENT] To strengthen security access under Covid19 pandemic, given GeoIP feature by default on all devices.
    5.[ENHANCEMENT] Support SSL VPN service port configurable

    This come from release notes for USG40.

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2021
    Hi @mMontana, @ChipConnJohn, @Agor76
    Thanks for all your input and valuable sharing. 

    Based on our investigation so far, HTTPS is the primary attack vector, and once the attempt is successful, it results in symptoms such as unknown user accounts being created. We haven’t observed any direct correlation between this attack and the previous hardcoded account vulnerability.

    To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release

    https://community.zyxel.com/en/discussion/10971/zld4-64-5-01-firmware-release#latest

     




  • Zyxel_Vic said:
    Hi @mMontana, @ChipConnJohn, @Agor76
    Thanks for all your input and valuable sharing. 

    Based on our investigation so far, HTTPS is the primary attack vector, and once the attempt is successful, it results in symptoms such as unknown user accounts being created. We haven’t observed any direct correlation between this attack and the previous hardcoded account vulnerability.

    To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release

    https://community.zyxel.com/en/discussion/10971/zld4-64-5-01-firmware-release#latest

     





    Hi @Zyxel_Vic

    So does this essentially mean that Zyxel does not know whether an actual remote code execution vulnerability exists?  What do you exactly mean by "attack vector"?  Are we talking about brute-forcing passwords or taking advantage of an actual RCE vulnerability in the firmware? Until now all of the communication from Zyxel has been extremely vague, leading to speculation and rumors.  I can understand if Zyxel cannot release any details due to security matters, however then it would be just a matter of announcing "we've identified the vulnerability and will provide a fix shortly".  I just have the impression that Zyxel is clueless in terms of how the threat actors got in.

    The recent patch is nice in terms of offering the Geo-IP feature at no cost, however this is only a workaround.  Changing port numbers and limiting access on a geographical scope can be considered security by obscurity, which can be easily circumvented by a sophisticated threat actor.

    I'd appreciate it if Zyxel would release a clear PR statement of the current state of affairs without any vague language.  

    Thank you.

     
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Sconsulting said:
    The recent patch is nice in terms of offering the Geo-IP feature at no cost, however this is only a workaround. Changing port numbers and limiting access on a geographical scope can be considered security by obscurity, which can be easily circumvented by a sophisticated threat actor.

    I'd appreciate it if Zyxel would release a clear PR statement of the current state of affairs without any vague language.  

    Thank you.

    I stand by your opinion and share your concerns.
    On the other side, without solutions or info sharing, "stating the nothing" could be a double-edged sword for Zyxel, and i can understand why, until now, only "new firmware" is what has been told.

    Saying that i can understand do not means that it'll be enough. Sooner or later I'm expecting disclosures on how attack was completed and what has been done to avoid similar breaches in future.

    Reducing the footprint is important, but a broken lock cant' be considered safe with a bigger metal guard for the keyway.

Security Highlight