Over 100,000 Zyxel networking products could be vulnerable to a hardcoded credential vulnerability (CVE-2020-29583) potentially allowing cyber-criminal device takeover.
Security experts warned that hackers are increasing attempts to exploit a high-severity vulnerability that may still exist in over 100,000 Zyxel Communications products.
Zyxel, a Taiwanese manufacturer of networking devices, on Dec. 23 warned of the flaw in its firmware (CVE-2020-29583) & released patches to address the issue. Zyxel devices are generally utilised by small businesses as firewalls & VPN gateways.
This week, several security researchers have seen “opportunistic exploitation” of Zyxel devices that have not yet received updates addressing this vulnerability.
“Likely due to the holidays, & maybe because Niels Teusink, who discovered the flaw did not initially publish the actual password, widespread exploitation via ssh has not started until now,” outlined Johannes Ullrich, of the SANS Internet Storm Centre (ISC), in a Wed. analysis. “But we are now seeing attempts to access our ssh honeypots via these default credentials.”
Ullrich observed that the scans started on Mon. PM, stemming from one IP (184.108.40.206), & more scans from other IPs (220.127.116.11, 18.104.22.168) joined during this week.
“The initial IPs scanning for this are all geo-locating back to Russia,” Ullrich outlined. “But other than that, they are not specifically significant. Some of these IPs have been involved in similar internet wide scans for vulnerabilities before so they are likely part of some criminal’s infrastructure.”
The vulnerability stems from Zyxel devices containing an undocumented account (called zyfwp) that has an unchangeable password – which can be found in cleartext in the firmware, according to Niels Teusink at EYE, who discovered the flaw and published his analysis in tandem with Zyxel’s Dec. advisory.
The flaw, which had a CVSS Score of 7.8 out of 10 (making it high severity), could be exploited by attackers to log in with administrative privileges & ultimately take over affected devices.
From an attacker perspective, this would give cyber-criminals the ability to adjust firewall rules, run malicious code on devices, or launch machine-in-the-middle attacks, Ullrich explained.
“This can easily be leveraged to compromise workstations protected by the firewall,” he said. “The only limit is the creativity of the attacker.”
The number of current devices open to attack cannot by specifically pinpointed, however, according to Teusink, globally more than 100,000 Zyxel devices have exposed their web interface to the internet.
Furthermore, “in our experience, most users of these devices will not update the firmware very often,” commented Teusink. “Zyxel devices do not expose their firmware version to unauthenticated users, so determining if a device is vulnerable is a bit more difficult.”
Teusink did not reveal the unchangeable password in his analysis – however, it did not take long for the hardcoded credentials to be distributed publicly on Twitter.
Zyxel undocumented account (CVE-2020-29583) details
— dozer (@dozernz) December 31, 2020
Affected Zyxel devices include its ATP firewall series, Unified Security Gateway (USG) series & VPN series, a patch for which became available in Dec. 2020. Also affected is the NXC2500 & NXC 5500, which are 2 devices that are part of Zyxel’s lineup of wireless LAN controllers, which will not receive a patch until Jan. 8, 2021.
Firewalls & Gateways
Ullrich stated that patching firewalls & gateways is always “tricky,” especially if the patching must be done remotely. Another issue is that “due to the holidays, the initial announcement by Zyxel was also somewhat overlooked,” he noted.
Security experts’ advice for potentially affected users? “Update now,” emphasised Ullrich.
He commented consumers or businesses using any kind of firewall, gateway, or router, regardless of the vendor should limit the administrative interface exposure.
“Avoid exposing web-based admin interfaces,” observed Ullrich. “Secure ssh access best you can (public keys…). In the case of a hidden admin account, these measures will likely not help, but see if you can disable password authentication. Of course, sometimes, vendors choose to hide ssh keys instead of passwords.”
CVE-2020-29583 is only the latest security issue to trouble Zyxel.
In Mar. 2020, researchers warned that Zyxel’s Cloud CNM SecuManager software contained 16 unpatched vulnerabilities that could open the doors for hackers.
That month, the Mirai botnet was found attacking Zyxel network-attached storage (NAS) devices using a critical vulnerability in the devices. In April 2020, the Hoaxcalls botnet was found spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager.