Security breach incident FAQ

Zyxel_Joslyn
Zyxel_Joslyn Posts: 346  Zyxel Employee
edited September 10 in Security

Q1. What are the impact model and version for this security breach incident?

Based on our investigation so far, a small subset of Zyxel security appliances is targeted. Currently we haven’t observed any direct correlation with specific firmware versions. The most effective way is to check if there is any unknown SSL VPN user account, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, has been created. If not, your device is not affected, and please follow the mitigations below as a precaution. 

https://community.zyxel.com/en/discussion/10912/how-to-mitigate-the-threat-by-limiting-the-access-sources#latest 


Q2. What are the symptoms?

The compromised deice will add new accounts to your gateway’s user configuration and add Policy/Firewall rules to allow undesired traffic into your network.

Make sure that all user accounts in the configuration are recognized and legitimate. If there are unknown user accounts, immediately remove this and any related rules.

  • Unknown Admin Accounts Created (Always). (manage, zyxel_sllvpn, sslvpn_index, zyxel_ts, etc...)
    CONFIGURATION > Object> User/Group > User.


  • Admin Password is different as before
  • Policy / Firewall Route creation (Sometimes)
    (with the wording: "loseang" or "loosing" in the description)
    CONFIGURATION > Network > Routing > Policy Route


       CONFIGURATION > Security Policy > Policy Control > Policy


  • other configuration changes, i.e. (PSK of VPN Tunnel) (Rare)
    CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Pre-Shared key



Q3. What should I do to mitigate the risk?

Based on our investigation so far, HTTPS is the primary attack vector. We suggest to review the Firewall configuration, modify the HTTPs port setting and change the admin password. Please follow the mitigations below as a precaution. 

https://community.zyxel.com/en/discussion/10912/how-to-mitigate-the-threat-by-limiting-the-access-sources#latest

To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release.

https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release#latest

 

Q4. What is included in the latest release 4.65 and 5.02 f/w?

The firmware is released on July 6th. 

Here it is the detail information about this release

https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release#latest

·       CVE-2021-35029

Vulnerability fix for web-based management interface of Zyxel USG/ZyWALL, USG FLEX, ATP and VPN series

·       Two-Factor Authentication Enhancement

Supports configurable 2FA service port


·       Security Check Enhancement

Disables HTTP port automatically while allowing WAN management in security check wizard


·       Password Change Reminder

Reminds privileged accounts to change their passwords for security


·       Log Enhancement

Enhances admin-type user change logs to alert level 

For newly installed devices, this FW can guide the best practice from the beginning 

Here is link to our what’s New information.

http://secure.campaigner.com/csb/Public/show/d9wg-2evy1r--v7ugq-abpnmxh9

 

Q5. What shall I do if my device has been compromised.

The compromised device will add new accounts to your gateway’s user configuration and add Policy/Firewall rules to allow undesired traffic into your network. Here is the check item. If there are unknown user accounts/rules, immediately remove this and any related rules.

·       Change all admin password.


·       Compare the user accounts.

Here is the default user list.


Delete the unknown accounts.


·       Remove the unknown firewall rules. Here is the default setting. By default, any to any is “deny”.


If you find the unknown rules, just choose the rule and click the “Remove” button.


After finishing the configuration checking, we strongly recommend to review the Firewall configuration, modify the HTTPs port setting and change the admin password. Please follow the mitigations below as a precaution. 

https://community.zyxel.com/en/discussion/10912/how-to-mitigate-the-threat-by-limiting-the-access-sources#latest

To assist on the secured configurations, we released a new update which helps on the mitigation settings, you can easily complete the procedure by following up the wizard. Here it is the detail information about this release.

https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release#latest


Q6. If I implement 2FA function for VPN accesses, can I deny the HTTPS Web management service (port 443) on WAN interface?

Yes, after upgrading to 5.02/4.65, users can separate the 2FA portal page with device service page services by using different ports.



Q7. Does this patch fix security problem OR only implement more and simple security settings for Zyxel USG

Zyxel has released standard firmware v4.65/5.02 that remain the definitive solution to the issues for the affected models. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately for optimal network protection.


8. Am I safe after upgrade firmware to the latest release (4.65/5.02) what extra steps shall I do to protect my device?

Since the compromised deice will add new accounts and modify the configurations on your gateway to allow undesired traffic into your network, make sure that all user accounts in the configuration are recognized and legitimate. 

1.     We recommend to change password on all of your admin-type accounts for better protection. 


2.     Make sure that all user accounts in the configuration are recognized and legitimate. If there are unknown user accounts (e.g. zyxel_sllvpn, zyxel_ts, zyxel_vpn_test, manage), immediately remove this and any related rules. (Configuration > Object > User/Group)


3.     Change the SSL VPN and HTTPs service port, and add firewall rules to restrict the access.

Scenario#1

If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.

a.    Add IP address object(s) to trusted addresses or trusted countries.

 (Configuration > Object > Address/GeoIP)


b.    Allow trusted IP addresses and Deny others traffic from Internet

(Configuration > Security Policy > Policy Control)

#1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.

#2. Deny other IP addresses that you do not trust to access your WebGUI.


 

c.    Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.

(Configuration > System > WWW)

Change HTTPS connection port. e.g 17443


After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.


Scenario#2

If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

(Allowed services are for IPSec VPN/VRRP/GRE)

Make sure there is no HTTP/HTTPS WebGUI service port in service group.


More FAQ will be added for the time being

Comments

  • Mario
    Mario Posts: 69  Ally Member
    Thank you for the summary of the current situation. Unfortunately, we still have no information about the origin of the problem. In my opinion, a bruteforce attack on the accounts is very unlikely, as the firewalls have a default lockout policy.
    Therefore, an exploit /auth. bypass is probably more likely. In this case, however, GeoIP and HTTP port changes would not be a sustainable solution but only a workaround.

  • Tomi
    Tomi Posts: 6  Freshman Member
    As far I can see from the logs, I can see that they came in with a normal admin password. So it seems that they have captured passwords somewhere... My guess is Cloud CNM SecuReporter....
  • BobHere
    BobHere Posts: 2
    Is Denying WAN to Zywall source = All should stop any of the attacks right? no need to really change any ports? and only allow Trusted Source IPs to Zywall should be good enough?


  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 346  Zyxel Employee
    Hi @BobHere

    It is ok to block all the traffic from WAN to Zywall and only allow trusted source IPs because the source IP address could be recognized. But it will be better if only allow the usage ports.

    Joslyn

Security Highlight