ZLD4.64 & 5.01 Firmware release
Dear Customer,
We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled. This mitigation firmware will actively guide users to follow general security best practices to reduce the attack surface. The new features include:
- Initial Setup Wizard Enhancements
Helps users to enforce security policies against access to the web management interface and SSL VPN service from the Internet.
- Security Policy Check
Shows misconfiguration of security policies through a pop-up notification, along with firmware update and change password reminder.
- Configurable SSL VPN and WAN Access
Separates access options on SSL VPN and WAN Access service.
- Log Enhancement
Provides a log history when the user object has been changed.
- GeoIP Now a Complimentary Feature
Built-in GeoIP feature to strengthen security access-which is now available free of charge for the entire firewall range.
Release Date: June 28th, 2021
Firmware ZLD4.64: ZyWALL USG Series/ZyWALL 110/310/1100
Firmware ZLD5.01: ZyWALL ATP Series/USG FLEX Series/VPN Series
All Replies
-
So the actual security hole isn't fixed?0
-
Thanks Zyxel for giving the customers some tools for mitigate risk and reduce footprint of attack.But my customers are asking and i have to turn the question to you.@Zyxel_Stanley, i am writing to you but of course there's nothing personal about that :-)
- Has the attack tecnique been thoroughly analyzed?
- Was found the way for the attackers to create users on the devices?
- Is this (eventual) way being originated from a vulnerability of the software, shared among versions 4.x and 5.x?
- Has this (again, eventual) vulnerability been found and patched?
- Is there any eventual ETA for deliver to customers stable and effective patch?
- Is there a way to assess if the firewall has been compromised?
- Can configuration backups on the device be considered safe or assessed as compromised?
- Is there a way to assess the security the device different than a full-manual reconfigure?
I am not expert of using GeoIP feature. And as far as i can see, I not usire if I can"feed" a host group by nations/contintents outside the wizard.Is there a part into user manual which cover how to create rules with GeoIP objects and references?0 - Has the attack tecnique been thoroughly analyzed?
-
Can you please answer if this patch fix security problem OR only (what i read) implement more and simple security settings for Zyxel USG ....
0 -
Thanks Standley & Co. for your effort. Appreciated.Nice, that now finally the SSLVPN login port and the WWW https Admin login port will be separated. But sad that there had to be an attack scenario first for realizing this issue.We are using the SecuExtender Login only and do not need the SSLVPN Login window of the USG. Further the admin access is only allowed via LAN1 subnet. Did you use the chance to add an option to completely switch off the USG login window from WAN/Internet side? This would further reduce the possible attack "surface".At the moment we are still at 4.62 and are not sure when we should update since the problems occur with 4.63.
0 -
kyssling said:Can you please answer if this patch fix security problem OR only (what i read) implement more and simple security settings for Zyxel USG ....0
-
Hi Guys,I did find successful admin login access from unknown IP to our firewall. So it seems that they have used admin account with normal password. Can anyone else seeing those and are you using SecuReporter service?0
-
Is it possible to disable admin login from WAN while you are using 2FA with email verification?
If I disable HTTPS or block WAN on "Admin service control", my 2FA doesn't work anymore.
0 -
@Zyxel_Stanley is it safe to setup SSL VPN port to 443 and webinterface to another port?In this case the SSL VPN Users don't need a new address to connect.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight