Undocumented user account in Zyxel products (CVE-2020-29583)

By EYE

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here and the Zyxel advisory here.

Zyxel is a popular brand for firewalls that are marketed towards small and medium businesses. Their Unified Security Gateway (USG) product line is often used as a firewall or VPN gateway. As a lot of us are working from home, VPN-capable devices have been quite selling well lately.

When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account 'zyfwp' with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.

$ ssh [email protected]
Password: Pr*******Xp
Router> show users current
No: 1 Name: zyfwp Type: admin
(...)
Router>

The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.

As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. Using publicly available data from Project Sonar, I was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, more than 100.000 devices have exposed their web interface to the internet.

In our experience, most users of these devices will not update the firmware very often. Zyxel devices do not expose their firmware version to unauthenticated users, so determining if a device is vulnerable is a bit more difficult. We wanted to get an idea of the amount of affected devices, but simply trying the password is not really an option (ethically and legally). Luckily, some javascript and css files can be requested from the web interface of these devices without authentication. These files seem to change with every firmware release. Using this information, we can obtain a unique fingerprint of the vulnerable firmware version. We used this information to identify the firmware version of 1.000 devices in The Netherlands and found that around 10% of devices are running the affected firmware version. Zyxel does offer automatic updates, but these are not enabled by default. Luckily, we were able to find this vulnerability just a few weeks after it had been introduced, or the number of affected devices could have been much larger.

As the zyfwp user has admin privileges, this is a serious vulnerability. An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.

Because of the seriousness of the vulnerability and it being so easy to exploit, we have decided not to release the password for this account at this time. We do expect others to find and release it, which is why we suggest you install the updated firmware as soon as possible.

I quickly sent out a mail to Zyxel to report the undocumented user account. According to Zyxel, the account was designed to deliver automatic firmware updates for access points via FTP. They released a fixed firmware version less than two weeks later. You can find the release notes for the USG40 here.

This is the entry in the release notes that describes this vulnerability:

[BUG FIX][CVE-2020-29583]
a. Vulnerability fix for undocumented user account.

We would like to thank the Zyxel Security Team for their quick response and patch.

Disclosure timeline

2020-11-29: EYE reports vulnerability to Zyxel security

2020-11-30: Zyxel acknowledges receipt

2020-12-02: Zyxel requests more information about how the vulnerability was discovered

2020-12-03: EYE sends more details

2020-12-08: Zyxel releases beta firmware 4.60-WK48 and removes the vulnerable firmware version from their site

2020-12-15: Zyxel releases firmware 4.60 patch 1 for most devices

2020-12-18: Zyxel releases firmware 4.60 patch 1 for all remaining devices

2020-12-23: Zyxel publishes advisory