Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zyxel. Show all posts

Zyxel Updates NAS Devices to Fix Potential Security Flaw

Shaposhnikov Ilya alerted about a major security vulnerability, targeting Zyxel's network-attached storage (NAS) device. The vulnerability was identified as CVE-2022-3474 and the patches for the same were released. The vulnerability officially described as a 'format string vulnerability' affects Zyxel NAS326 firmware versions before V5.21(AAZF.12)C0 and has a CVSS score of 9.8/10.

An attacker could take advantage of the issue by sending specially created UDP packets to vulnerable products. The firm said in an alert that a successful flaw exploit might allow a hacker to run whatever code they want on the vulnerable device.

Zyxel provided security upgrades in May 2022 to address a number of vulnerabilities impacting a variety of products, including firewall, AP, and AP controller products.

The following versions are affected by the flaw:
  • NAS326 (versions before V5.21(AAZF.11)C0)
  • NAS540 (versions prior to V5.21(AATB.8)C0), and
  • Prior to V5.21(ABAG.8)C0, NAS542
This revelation follows Zyxel's July patching of the CVE-2022-30526 and CVE-2022-2030 vulnerabilities impacting its firewall products, which affect local root access and authenticated directory traverse.

The four vulnerabilities with the command injection bug in some CLI commands classified as CVE-2022-26532 being the most critical are as follows: 
  • CVE-2022-0734: A cross-site scripting vulnerability was found in the CGI program of various firewall versions, which could let an attacker use a malicious script to access data stored in the user's browser, like cookies or session tokens.
  • CVE-2022-26531: Several erroneous input validation problems were discovered in several CLI commands of some firewall, AP controller, and AP versions that might let a local authorized attacker bring down the system or trigger a buffer overflow through the use of a specially crafted payload.
  • CVE-2022-26532: Certain firewall, AP controller, and AP versions contain the 'packet-trace' CLI command that contains a command injection vulnerability that might allow a local, authorized attacker to execute arbitrary OS instructions by providing specially crafted inputs to the function.
  • CVE-2022-0910: In the CGI program of various firewall versions, an authentication bypass issue resulting from a deficient access control mechanism has been discovered. An attacker may be able to use an IPsec VPN client to switch from two-factor verification to one-factor verification due to the bug.
A few days after QNAP issued a warning about a fresh wave of Deadbolt ransomware attacks aimed at its NAS consumers, Zyxel released its caution. 

In earlier assaults that exploited another critical-severity vulnerability resulting in remote code execution, a Mirai botnet variant targeted Zyxel NAD products.

Remote code execution flaws in NAS devices, which are frequently used to store massive amounts of data, might easily result in complete device compromise. NAS devices are frequently the target of ransomware assaults. 


Zyxel: Firewalls, Access Points, and Controllers are Vulnerable

 

Zyxel has issued a cybersecurity advisory alerting administrators about various vulnerabilities impacting a variety of firewall, access point, and access point controller products. 

While the flaws are yet not ascribed a high severity rating, the potential damage they can cause is something to be taken seriously as these flaws could be exploited by malicious attackers as an aspect of exploit chains. Moreover, Zyxel goods are used by large enterprises, and any exploitable faults in them attract threat actors right away. 

The most serious of the four flaws is a command injection problem in various CLI commands, which is classified as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability has been discovered in the CGI, which could allow a malicious script to access information stored in the user's browser, such as cookies. 
  • CVE-2022-26531: A locally authenticated attacker might utilize a system crash by exploiting several erroneous input validation issues in various CLI commands of some firewall, AP controller, and AP versions. 
  • CVE-2022-26532: A command injection vulnerability in some firewall, AP controller, and AP versions' "packet-trace" CLI command might enable a local authorized attacker to execute arbitrary OS instructions by passing crafted parameters to the command. 
  • CVE-2022-0910: An attacker might use an IPsec VPN client to downgrade from two-factor authentication to one-factor authentication. 

While Zyxel has released software updates for firewalls and access points, the only way to get a hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 is to contact the local Zyxel support teams. 

The news comes as a major command injection hole in select Zyxel firewalls; CVE-2022-30525, CVSS score: 9.8) has been actively exploited, forcing the US Cybersecurity and Infrastructure Security Agency to add the vulnerability to its Recorded Exploited Vulnerabilities Database.

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.

Zyxel Warns Customers About Hackers Targeting its Firewalls & VPN Devices

 

Zyxel, a manufacturer of enterprise routers and VPN devices, has issued a notification that attackers are targeting its devices and changing configurations to gain remote access to a network. 

According to Zyxel, the attacks targeted the USG, ZyWALL, USG FLEX, ATP, and VPN series using on-premise ZLD firmware. All are multi-purpose networking devices that the company sells to enterprise customers as systems that include VPN, firewall, and load balancing. 

The company stated in an email, “We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled.” 

As per the vendor's information, the attacks appear to follow the following pattern: The threat actor tries to access a device through WAN, if successful, the threat actor bypasses the authentication and establishes SSL VPN tunnels with unknown user accounts, such as “zyxel slIvpn”, “zyxel ts”, or “zyxel vpn test”, to change the device's configuration. 

Zyxel spokespersons in the United States and the United Kingdom have not responded to requests for additional information. 

At the time of writing, it is unknown whether the attacker is targeting unpatched devices using an existing vulnerability or a never-before-seen flaw known as a "zero-day" in cyber-security circles. It's also unclear whether the assaults have already resulted in security breaches at any of Zyxel's customers or if the vendor discovered the attack early with honeytraps and is now alerting clients ahead of a potentially larger wave of incoming attacks. Despite this, the vendor appears to feel that the attacks may be avoided. 

As per the research, The Record experts advised maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface and certain points must be noted: 

1. Unless you must manage devices from the WAN side, disable HTTP/HTTPS services from WAN. 
2. If you still need to manage devices from the WAN side: 
• enable Policy Control and add rules to only allow access from trusted source IP addresses; and 
• enable GeolP filtering to only allow access from trusted locations. 

The attacks against Zyxel devices come after a series of similar attacks on a variety of VPN devices, which provide a convenient way for remote attackers to get persistent access to a corporate network. 

Over the past years, Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Cisco, Sonicwall, Sophos, and F5 Networks have all been targeted by a series of attacks on their firewalls, DNS servers, and load balancers. Cyber-espionage and financially motivated groups that seek to steal sensitive information frequently target these devices.

Top VPN Provider Zyxel Hacked, Here's a Quick Look into the Security Incident

 

Technology and networking have turned out to be the need of the hour and we must also be equally qualified to operate networking devices. One such innovation-oriented and customer-focused company is Zyxel. The network equipment company offers routers, gateways, security solutions along with several other services to make communication simpler and uninterrupted. One of the company's main services also includes providing VPN services to its patrons. Recently, the aforesaid communications corp. became a swift target for hackers because of undetected flaws in the networking devices and their VPN. 

Headquartered in Hsinchu, Taiwan Zyxel is a networking hardware company, focused on providing devices with eHome Shield that is geared up by F-Secure to give lasting protection against cybercriminals worldwide and other potential threats as well. It's a wide known fact how hackers employ specialized programming to easily break through the firewall of networking devices and access the other smart home gadgets and devices running on the compromised connection – for instance, Smart TVs, Mobile Phones, Laptops, etc. 

A while ago, an association of some cybersecurity researchers of a Dutch firm named 'Eye Control' discovered a prospective damaging the security of the system and a popular VPN solution and networking agency, Zyxel, making it more vulnerable. 

Although Zyxel has produced and transported some hundred thousand highly encrypted devices with zero percent of compromising security still it malfunctioned. This vulnerability was later confirmed by the firm itself. 

Now the question that arises is what happened and how did the hackers manage to enter the encrypted system of such a big firm with ease? 

According to the cybersecurity researchers, the backdoor account of Zyxel devices and VPN uses a username and password that were completely visible in the plain text within the Zyxel system binaries, that were running firmware version 4.60, patch 0. These credentials allowed hackers to completely access the confidential information of the users of Zyxel devices. 

After further investigation, the team of researchers concluded that the hundred thousand devices that were affected by the vulnerability were because of the latest version of the firmware update 4.60, patch 0. The Zyxel devices affected by the vulnerability included the Advanced Threat Protection series of devices, the company’s NCX series of devices, its VPN of Gateways, and a few more. 

The company has already issued new patches for the Advanced Threat Protection series (ATP), Unified Security Gateway (USG), USG Flex, and VPN series. Alongside, it has also affirmed that it would release another patch for the remaining compromised devices like the WLAN access point controller, NCX series, etc., and will launch its new update around April for better fixation of devices and safety. Till then it has requested its consumers to download the available new patches with the latest updates for the devices to ensure their safety.