ZLD4.65 & 5.02 Firmware release
Zyxel has been tracking the recent activity of threat actors targeting Zyxel security appliances and has released firmware patches to defend against it. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately. A guidance to help you identify, remediate, and defend against the incident is available on the Zyxel forum.
The new features include:
- CVE-2021-35029
Vulnerability fix for web-based management interface of Zyxel USG/ZyWALL, USG FLEX, ATP and VPN series
- Two-Factor Authentication Enhancement
Supports configurable 2FA service port
- Security Check Enhancement
Disables HTTP port automatically while allowing WAN management in security check wizard
- Password Change Reminder
- Log Enhancement
Enhances admin-type user change logs to alert level
Release Date: July 6th, 2021
Supported Models:
Firmware ZLD V4.65: ZyWALL USG Series/ ZyWALL 110/310/1100
Firmware ZLD V5.02: ZyWALL ATP Series/ ZyWALL USG FLEX Series/ ZyWALL VPN Series
Comments
-
Holy kamoly! An update, and a CVE!It' been quite a rough week...Can this CVE been exploited also on 3.x firmwares?0
-
is it important to patch also the standby FW image ?0
-
Currently, I'm keeping 4.64 as a fallback. After 2/3 weeks of uninterrupted working time, i'll upgrade also the standby image.Hoping that soon the FragAttack fix will come...1
-
We need 2FA via an OTP app (Google Authenticator, MS Authenticator) for VPN.
By contrast, have you (Zyxel security team) REALLY thought through offering "increased" security with a 2-factor mechanism that requires exposing the Zyxel externally ?
Thank-you for trying to keep on top of things, but you're several steps too far behind, please: PRIORITIZE better (meaning factually more secure) options for 2FA for VPN - the existing option is a non-starter. SMS is not secure enough, that belongs to a decade ago or more in terms of current understanding of current-day, real-world security concerns and practices. Either current option (SMS, email) that means exposing the Zyxel are sub-optimal at best.
6 -
Is there a link to download the firmware? Cloud upgrade is failing checksum on my device.
0 -
Hi @SunglassesGuy
You can download the firmware from the Myzyxel, here it is the link. Then you can upgrade the firmware locally.0 -
for admin login, I have being using the yubico hardware authenticator, it good to include the other capabilities of hardware beside beside OTP for the 2FA
0 -
Hello,
why in secuReporter not add the alert when an admin user is created ?
Simple add but important to monitoring many firewalls if someone create an admin user .1 -
Hi @DiesseInformatica
Thanks for the suggestion, currently we added certain information in the log firstly. We will consider about your suggestions and put this idea in our evaluating queue.1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight