FLEX H Firmware Boot Issues
Freshman MemberThere is a security flaw in the current firmware of my device (and most probably other devices of this series).
When the device is rebooted, the configuration on the interfaces is applied and for round about one minute, the configured Firewall rules are not applied.
I realized that when rebooting my device with service PING not allowed towards the Device, but the PING went through during bootup.
Even worse is, that for example NAT rules are anyway applied - and then not filtered.
In combination with a Denial of Service Attack this will lead to information exposure.
Tested Device:
V1.37(ABXF.1) running on USG FLEX 100H.
Suggested Remediation: A general Deny ALL must be applied as long as the bootup is not completely finished.
I wrote this first to the security mail address, but they redirected me here. :)
All Replies
-
Hi @m0x7e
Thanks for your input. I'm clarifying with our team on it. I will update you once I get further information.
Zyxel Melen0 -
Hi @m0x7e
We tried to replicate this issue with our configuration and there's no issue as yours. Could you help to provide your configuration for us to investigate it? I have sent you a private message and you may share the configuration in there.
Zyxel Melen0 -
===content been moved to the correct post===
0
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 223 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.6K Security
- 638 USG FLEX H Series
- 357 Security Ideas
- 1.8K Switch
- 86 Switch Ideas
- 1.4K Wireless
- 54 Wireless Ideas
- 7K Consumer Product
- 301 Service & License
- 494 News and Release
- 93 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 109 Security Highlight
