A researcher at Dutch security firm EYE has discovered a critical vulnerability in Zyxel’s firewall and VPN gateways, as a result of exposed credentials.
Zyxel sells a line of popular firewall and VPN gateway devices. Niels Teusink, a researcher with EYE, discovered a major issues that leaves over 100,000 devices vulnerable.
When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.
Teusink goes on to highlight why this vulnerability is so dangerous.
As the zyfwp user has admin privileges, this is a serious vulnerability. An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.
Teusink recommends updating to the latest firmware version immediately.