Zyxel security advisory for attacks against security appliances

Summary

Zyxel has been tracking the recent activity of threat actors targeting Zyxel security appliances and has released firmware patches to defend against it. Users are advised to install the patches for optimal protection.

 

What is the issue?

Based on our investigation, the threat actors attempt to access a device through WAN; if successful, they then try to log in with stolen, valid credentials or bypass authentication, and to establish SSL VPN tunnels with existing or newly created users accounts, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the devices’ configuration.

Zyxel has been collaborating with third-party security researchers to track the threat actors' activities. Based on our investigation, they could be abusing a combination of attack vectors, including:

  • Valid user credentials that they had previously harvested from the breach of past known vulnerabilities (potentially CVE-2020-9054 or CVE-2020-29583, which were completely fixed in March and December 2020, respectively). We've observed the threat actors logging in using legitimate user-defined credentials with admin privileges, and in some cases they also created new admin accounts.
  • A newly uncovered authentication bypass vulnerability, tracked as CVE-2021-35029, that did not properly sterilize input strings and could allow an adversary to gain access.
 

What versions are vulnerable-and what should you do?

Zyxel security appliances with remote management or SSL VPN enabled are vulnerable, namely those that are in the USG/ZyWALL, USG FLEX, ATP, and VPN series and running specific versions of the on-premise ZLD firmware. Those running the Nebula cloud management mode are NOT affected.

Zyxel has released standard firmware patches that remain the definitive solution to the issues for the affected models, as listed in the table below. The patches also include additional security enhancements based on users’ feedback and security researchers' advice, which we strongly recommend users install immediately for optimal network protection.

In addition, we strongly suggest that users follow general security best practices, as stated in this article, and perform security audits regularly. We have included a few new features and reminders in the firmware patches to guide users to complete these steps.

Affected product series Affected firmware version Patch available in
USG/ZyWALL series ZLD V4.35 to ZLD V4.64 ZLD V4.65 on July 6, 2021
USG FLEX series ZLD V4.35 to ZLD V5.01 ZLD V5.02 on July 6, 2021
ATP series ZLD V4.35 to ZLD V5.01 ZLD V5.02 on July 6, 2021
VPN series ZLD V4.35 to ZLD V5.01 ZLD V5.02 on July 6, 2021
 

If a product is not listed, it is not affected. Contact your local Zyxel support team if you require further assistance.

 

Got a question?

Please contact your local service rep for further information or assistance. If you've found a vulnerability, we want to work with you to fix it-contact security@zyxel.com.tw and we'll get right back to you.

 

Acknowledgment

Thanks to the Spike Reply Cyber Security Team for working with us to investigate and fix this issue.

 

Revision history

2021-07-07: Initial release