ZLD4.64 & 5.01 Firmware release
All Replies
-
Hi @kyssling, @Sconsulting, @Asgatlat
This is the mitigation firmware which we believe that the implemented method will be able to provide the best practice to protect your network.
Hi @OTADMIN
If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. However, it is still suggested to upgrade 4.64 (or 5.01) with GeoIP implementation which can limit the authorized people from the specified regions. In addition, it will be a good general practice in security if the passwords can be changed periodically as well1 -
@USG_User thanks for the feedback. I know this is possible, but all users need to change this.During homeoffice, this generates a lot of trouble till all user connect to the new port. And somtimes other prots then 80/443 are blocked. Cause Zyxel suggest only to seperate HTTPS and SSL VPN, but don't make a recomendation about the ports.0
-
Guide if it doesn't already should include changing of admin account passwords. We are seeing devices with new user objects (random names none of the test accounts) and then the same IP using the default admin account.0
-
The operational issue I still see with 2FA is that if your WAN connection is down, 2FA will not work, preventing admin access to the Zyxel device. Now it becomes more difficult to discover why your network is down.Zyxel_Vic said:.......If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. ....
.......
0 -
mMontana said:Thanks Zyxel for giving the customers some tools for mitigate risk and reduce footprint of attack.But my customers are asking and i have to turn the question to you.@Zyxel_Stanley, i am writing to you but of course there's nothing personal about that :-)
- Has the attack tecnique been thoroughly analyzed?
- Was found the way for the attackers to create users on the devices?
- Is this (eventual) way being originated from a vulnerability of the software, shared among versions 4.x and 5.x?
- Has this (again, eventual) vulnerability been found and patched?
- Is there any eventual ETA for deliver to customers stable and effective patch?
- Is there a way to assess if the firewall has been compromised?
- Can configuration backups on the device be considered safe or assessed as compromised?
- Is there a way to assess the security the device different than a full-manual reconfigure?
I am not expert of using GeoIP feature. And as far as i can see, I not usire if I can"feed" a host group by nations/contintents outside the wizard.Is there a part into user manual which cover how to create rules with GeoIP objects and references?I did not forgot my questions. I am aware that might take some time to have answers.Still a Security Advisory not released. But I won't stop reminding that it will be due to customers, when all the pieces will be put together.0 - Has the attack tecnique been thoroughly analyzed?
-
We've switched over to Google Authenticator (we actually use Authy) for admin access for this very reason.EricNepean2 said:
The operational issue I still see with 2FA is that if your WAN connection is down, 2FA will not work, preventing admin access to the Zyxel device. Now it becomes more difficult to discover why your network is down.Zyxel_Vic said:.......If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. ....
.......0 -
I'm still waiting Zyxel like a Romeo waits his Juliet... My Wishing Well contains a wish for a patched (not mitigated) firmware...
0 -
According to Zyxel support:
"The firmware you downloaded currently offers license-free GeoIP feature to mitigate the damage as much as possible. However patch that would fix this vulnerability is expected to arrive during next week."
So, stay strong till next week!0 -
Configure one admin account with Google 2FA and you will get 5 backup codes that will work even if the WAN is down and/or you don't have access to your phone.EricNepean2 said:
The operational issue I still see with 2FA is that if your WAN connection is down, 2FA will not work, preventing admin access to the Zyxel device. Now it becomes more difficult to discover why your network is down.Zyxel_Vic said:.......If you're using 2FA as the auth method, the HTTPS service from WAN port can't be disabled since 2FA will implement it for the authentication. Thanks for your feedback, this improvement is now under discussion and we had put it in our plan. ....
.......0 -
I'm not pleased for not see any status update of the (eventual) vulnerability and the (eventual) firmware upgrade for solving "once for all" the issue encountered about security incident.GeoIP and HTTPS port split among admin interface and SSL VPN are a really useful tools, but they are not the solution, only mitigation.My users are asking updates, about how and when their devices well become safer.0
Zyxel Employee
Ally Member
Freshman Member
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
