In a report by Niels Teusink, researcher at Dutch cybersecurity firm EYE, more than 100,000 Zyxel devices globally using their firewalls and VPN gateway products were found to have exposed their web interface to the internet.
This is due to a backdoor account 'zyfwp', discovered by Teusink in the latest firmware version of some Zyxel devices, with a plaintext password visible in one of the binaries on the system, which could pose serious vulnerabilities as it has admin privileges. According to Teusink, the account works on both the SSH and web interface.
Teusink added that as SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet.
“An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device”, said Teusink.
EYE reported the vulnerability to the Zyxel security team last November 29, and Zyxel then removed the vulnerable firmware version from their site last December.
According to an advisory from Zyxel, the hardcoded credential vulnerability identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers was designed to deliver automatic firmware updates to connected access points through FTP.
Zyxel urges their users to install the applicable updates for optimal protection, releasing patches for their Advanced Threat Protection (ATP), Unified Security Gateway (USG), USG FLEX and VPN firewall products last month. As for their affected Access Point (AP) controllers, Zyxel is set to release corresponding patches in April 2021.
In 2016, some Zyxel devices released also contained a secret backdoor mechanism that allowed anyone to elevate any account on a Zyxel device to root level using a super-user password.
According to ZDNet, the 2016 backdoor mechanism required that attackers first have access to a low-privileged account on a Zyxel device — so they can elevate it to root — but the 2020 backdoor is worse as it can grant attackers direct access to the device without any special conditions.