February 26, 2020

On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products.

This week’s story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000. Alex Holden, the security expert who first spotted the code for sale, said at the time the vulnerability was so “stupid” and easy to exploit that he wouldn’t be surprised to find other Zyxel products were similarly affected.

Now it appears Holden’s hunch was dead-on.

“We’ve now completed the investigation of all Zyxel products and found that firewall products running specific firmware versions are also vulnerable,” Zyxel wrote in an email to KrebsOnSecurity. “Hotfixes have been released immediately, and the standard firmware patches will be released in March.”

The updated security advisory from Zyxel states the exploit works against its UTM, ATP, and VPN firewalls running firmware version ZLD V4.35 Patch 0 through ZLD V4.35 Patch 2, and that those with firmware versions before ZLD V4.35 Patch 0 are not affected.

Zyxel’s new advisory suggests that some affected firewall product won’t be getting hotfixes or patches for this flaw, noting that the affected products listed in the advisory are only those which are “within their warranty support period.”

Indeed, while the exploit also works against more than a dozen of Zyxel’s NAS product lines, the company only released updates for NAS products that were newer than 2016. Its advice for those still using those unsupported NAS devices? “Do not leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.”

Hopefully, your vulnerable, unsupported Zyxel NAS isn’t being protected by a vulnerable, unsupported Zyxel firewall product.

CERT’s advisory on the flaw rate this vulnerability at a “10” — its most severe. My advice? If you can’t patch it, pitch it. The zero-day sales thread first flagged by Holden also hinted at the presence of post-authentication exploits in many Zyxel products, but the company did not address those claims in its security advisories.

Recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”


23 thoughts on “Zyxel 0day Affects its Firewall Products, Too

  1. BobbyG

    Has to be telnet with default credentials or something equally stupid

  2. The Sunshine State

    So today’s lesson is not to buy Zyxel firewalls and use manufactures like Cisco or Sonic Wall (Dell)

    1. JCitizen

      Checkpoint – better service, better performance – better support. WAY easier to configure. Automated attack diagnostics.

      No body pays me, so I am not a shill for anybody.

      1. Dave

        Even better – use open source products that can be installed on standard hardware, like pfSense and openSense.

        1. SeymourB

          At the very least get hardware that supports multiple OS options, so if you get fed up with the OEM or another vendor, you can simply wipe & reload someone else’s product on your existing hardware.

          Doesn’t really help people who’d buy bottom-of-the-barrel-cheap NAS products, though cheap firewalls usually have options if you plan ahead and get a model supported by third parties.

  3. M0nk3y

    LOL you don’t think Cisco has had any vulnerabilities? All those vendors have to deal with same issues… nothing new here.

    1. The Sunshine State

      Anything connected to the internet has some type of vulnerabilities at times. In regards to this article , you just have to choose which appliance or router has the best firewall capabilities verses the risk of deploying it over time with regards to being vulnerable to some type of intrusion.

      1. security vet

        …all, repeat ALL, h/w and s/w is designed and built by humans – it has bugs, some discovered, most not…anyone that thinks otherwise is foolish at best…

    2. Dave

      The key quote here is:

      “Zyxel’s new advisory suggests that some affected firewall product won’t be getting hotfixes or patches for this flaw, noting that the affected products listed in the advisory are only those which are ‘within their warranty support period.'”

      Even Microsoft has issued emergency patches for critical vulnerabilities in out of warranty products like XP, which is 20 years old.

  4. Nobby Nobbs

    I’d see it more as a “don’t buy from anyone who doesn’t support their product…”

    And maybe a bit of “don’t put all your eggs in one manufacturer’s basket.”

  5. Dennis

    “Do not leave the product directly exposed to the internet.”

    Oh yeah, that’s a great advice if I bought a FIREWALL product from you 🙂

    PS. What’s the opposite term to firewall? Fire-sieve.

  6. Macer

    Does this not affect USG line? Or had it just not yet been tried?

  7. Arkelex

    Hot damn, I miss the days when hacking was just some dude in Call of Duty running around insta killing everybody.

  8. Readership1

    I wish hackers had more pro-society goals. Information liberation, for example.

    It might be nice to see actual coronavirus statistics coming out of China, instead of their fabrications. Or accurate information on all global quarantined persons and where they reside. Right now, few governments are telling the truth, I suspect.

    Instead, we have anti social hackers trying to make money through exploitation. Sad state of today’s hacking scene.

  9. KFritz

    Agree that the fine is too small–for these behemoths that’s just an annoying cost of business. IMLTHO, penalty needs to 3X to 10X larger. That would focus their attention.

Comments are closed.