In A 2021 Report, What Is The Backdoor Password Found In Zyxel Firewalls And VPN Gateways?

(Many of the links in this article redirect to a specific reviewed product. Your purchase of these products through affiliate links helps to generate commission for Techsplurge.com, at no extra cost. Learn more)

Overview of the Vulnerability

In January 2021, a significant security vulnerability was discovered in Zyxel firewalls, VPN gateways, and access point controllers. This vulnerability, tracked as CVE-2020-29583, involves a hardcoded backdoor account that can grant attackers root-level access to these devices. The backdoor account, with the username ‘zyfwp’ and the password ‘PrOwaN_fXp’, was found to be stored in cleartext within the firmware binaries of affected Zyxel products.

Affected Devices and Firmware

The vulnerability affects a wide range of Zyxel products, including:

• Unified Security Gateway (USG)
• Advanced Threat Protection (ATP)
• USG FLEX
• VPN series

These devices are commonly used in enterprise and government networks to control access to intranets and internal networks from remote locations. The affected firmware version is ZLD V4.60, released in November 2020. Zyxel released ZLD V4.60 Patch 1 on December 18, 2020, to address this critical vulnerability.

Impact and Exploitation

The discovery of this backdoor account has significant implications for network security. Threat actors, ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs, can exploit this vulnerability to gain unauthorized access to vulnerable devices. Once inside, attackers can pivot to internal networks for further attacks, potentially leading to data breaches or system compromise.

Detection and Mitigation

Patching the Vulnerability

Patching is the most effective way to mitigate this vulnerability. Zyxel has made patches available for the affected devices, including the ATP, USG, USG FLEX, and VPN series. For the NXC series, patches are expected in April 2021. Device owners should update their systems as soon as possible to remove the backdoor account and prevent exploitation by malicious actors.

Practical Steps for Users

Given the severity of this vulnerability, users of Zyxel firewalls and VPN gateways must take immediate action to secure their devices. Here are some practical steps:

1. Update Firmware: Ensure that all affected devices are running the latest patched firmware version. For devices running ZLD V4.60, update to ZLD V4.60 Patch 1 or later.
2. Disable Remote Access: Temporarily disable remote access via SSH or HTTPS to prevent unauthorized access. This may impact the functionality of SSL VPN services, but it is a necessary measure until patches are applied.
3. Monitor for Malicious Activity: Implement monitoring tools and Sigma rules to detect any suspicious activity related to the backdoor account.
4. Change Default Passwords: Even after patching, it is advisable to change the default passwords for all administrative accounts to prevent future exploitation.
5. Regular Audits: Conduct regular security audits to identify and address any potential vulnerabilities in network devices.

Historical Context

This is not the first time Zyxel has faced a similar vulnerability. In 2016, a similar backdoor mechanism was discovered in Zyxel devices, tracked as CVE-2016-10401. This vulnerability allowed attackers to elevate any account on a Zyxel device to root level using the hardcoded password ‘zyad5001’. The recurrence of such vulnerabilities highlights the importance of thorough security audits and regular firmware updates to prevent similar incidents in the future.

Conclusion

The discovery of the hardcoded backdoor account in Zyxel firewalls and VPN gateways serves as a stark reminder of the importance of robust security measures in network devices. The ease with which this vulnerability can be exploited underscores the need for timely updates and rigorous security testing. By taking immediate action to patch affected devices and implementing additional security measures, users can significantly reduce the risk of their networks being compromised by malicious actors. As the cybersecurity landscape continues to evolve, manufacturers and users alike must remain vigilant and proactive in addressing potential vulnerabilities to ensure the integrity and security of their networks.