Backdoor in Zyxel Firewalls and Gateways

This is bad:

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

[…]

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday.

Tags: , , , , , ,

Posted on January 6, 2021 at 5:44 AM18 Comments

Comments

Andrew McNeil January 6, 2021 6:53 AM

Wondering what are good alternative brands that don’t have such terrible security practices?

Clive Robinson January 6, 2021 8:36 AM

@ ALL,

You would have thought this type of backdoor would have stopped by now…

But I guess,

“The more things change, the more they stay the same”

And no amount of code signing will protect end users from this nonsense, only carefull analysis of the executable code, and that is well neigh impossible if some one learns a little (which the author of this back door did not).

Curious January 6, 2021 9:07 AM

I can’t help but wonder if it might be more worth to police or military intelligence community, to just let people hack stuff just to get to observe such activities, which could pheraps explain why lots of hardware is apparently inherently insecure, but surely that would be unethical? And if attribution is hard, surely such a strategy or attributing id (who) or even behaviour (what) would have to fail in any case?

Eric Valk January 6, 2021 9:40 AM

I own one of these Zyxel devices.

I have just discovered that Zyxel has had the new firmware available for a few weeks now, but when the user uses the “check for new firmware update” feature it doesn’t show that this firmware is available.

You have to sign into your Zyxel account to find it.

This is misleading, because most users depend on the “check for new firmware update” feature.

Tatütata January 6, 2021 11:44 AM

From the report:

As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet.
[…]
According to Zyxel, the account was designed to deliver automatic firmware updates for access points via FTP.

I’m not sure which is worse:

1) That the manufacturer installed an undocumented backdoor; (the Zyxel “explanation” doesn’t make sense)

or

2) That it was so incompetently implemented.

I wouldn’t be surprised that the devices all have the same, fixed, SSH keys.

Speaking of backdoors, some ISPs keep an access to cable and DSL devices that they provisioned but sold to the subscriber. I have such a device (not a Zyxel), and will reset it when I change providers. In the mean time, my home installation has a second open-source router downstream.

BTW, is there a backdoor to get through the comment censorbot? 🙂

Bernard January 6, 2021 12:10 PM

Speaking of backdoors, some ISPs keep an access to cable and DSL devices that they provisioned but sold to the subscriber.

Don’t the network operators always have full access to DOCSIS modems and GPoN SFP modules, including to push firmware updates? I’m not sure that a reset can be relied on to undo that.

Hampton the Hampster January 6, 2021 1:02 PM

@Bernard
On DSL it’s called a TR069 (hope I didn’t mess up the numbers) remote management access and on some routers can be disabled.

Bernard January 7, 2021 11:35 AM

Hampton the Hampster, TR069 is disabled by default on every DSL modem I’ve seen, including TP-Link and SmartRG. Some ISPs may provide a configuration file that enables it; but that can be overridden, and there’s generally no need or expectation to use those files.

By contrast, I don’t believe one can protect a cable modem from a coax network, or a GPoN SFP module from a fiber network. At least the SFP modules can be moved into a user-controlled router.

The workaround for all of this stuff is the same as it’s been since the 1990s (though a hell of a lot easier with Let’s Encrypt): run a zero-trust network.

Clive Robinson January 7, 2021 11:56 AM

@ Bernard,

By contrast, I don’t believe one can protect a cable modem from a coax network

Or any other device supplied by any kind of Service Provider, they simply can not be trusted, and 99% of customets do not have the clout be it financially or otherwise to stop their behaviours. This is not just “a US thing” it happens wherever there is not high penalty criminal legislation that gets excercised. And I do not mean 100 million Dollar fines, they are a joke to large enterprises, what is needed is hard jail time for senior executives along with taking away their assets and those of their family. If directors whant companies to be people then people have to go to jail when wrongdoing is found as they are in charge as Directing Minds then it should be they that take responsibility.

Who? January 7, 2021 1:40 PM

Do not let me start talking about the backdoors on Fortinet routers, and how difficult is getting a patch from this manufacturer if possible at all.

Who? January 7, 2021 1:50 PM

@ Andrew McNeil

My choice would be a low power computer running OpenBSD.

If not, a Juniper Networks services gateway running Junos⸺low end SRX devices are very good choices for small networks. The National Security Agency went to great lengths to get them compromised (look for information about the Juniper-NSA backdoor scandal) and, in fact, they are Commercial Solutions for Classified (CSfC) program certified so these devices should be right for most uses.

Clive Robinson January 7, 2021 3:48 PM

@ Who?,

in fact, they are Commercial Solutions for Classified (CSfC) program certified so these devices should be right for most uses.

You still need to but a second one in series from a different manufacturer and instrument the DMZ between them.

I’ve mentioned this before when talking about the “Garden Path” design.

Who? January 14, 2021 12:27 PM

@ Clive Robinson

That is very true!

Most of my machines are air gapped (sadly, energy gapping is too challenging for me at this time as I have not enough resources to run it effectively), others are run behind restrictive firewalls that only allow establishing outgoing (egress, from the point of view of internal ports) connections, but what you say goes a step further and it is very clever.

Even a certified device can be tampered, so a single device (or multiple devices coming from the same source) are not enough, even if the latest version of its operating system is fresh installed, and all integrity checks are run on these images before applying them.

Certainly we need to know and carefully analyse traffic flowing between devices too. No single device should be fully trusted.

Clive Robinson January 15, 2021 6:11 AM

@ Who?

No single device should be fully trusted.

I think with commodity systems since 2010 at least if not earlier, “no device can be trusted”

What went in as “convenience” became extended to a “conduit” for various reasons, which in turn became major channels through which information became collected for “engineering and support”, and in time that information broadened into anything that could be turned into an income stream.

As an example PC’s that are on even though they are off. Thst is they are actually dormant waiting for a signal on the network or similar. They then wake up a “managment CPU”. Which is a nice convenience if you are a system admin wanting to change a configuration. But then this extended to patching and other tasks that are equivalent to tasks attackers use to add malware to a system. But there was Dr Watson, there to send back bug reports to MS on a blue screen of death. Thid got expanded to report back all sorts of information so amongst other things “support” could not just see what software is running but take over control of the computer.

Each step along the way increasingly encroached on privacy and reduced security…

We don’t “own” our computers Microsoft made that clear by forcing people to download Win10 without their permission.

So “trust” in both the normal human and in the ICTsec meaning are gone. Comercial Computers are without doubt “The enemy in the camp”…

In human terms a few hundred years ago nobles who faught as knights if captured were ransomed, but untill such time as the exchange was made they were “paroled” that is they could wander around camp fairly freely having promised not to escape etc. Well the promises got broken and over the years there were “Prisoner of war” camps that were also became internment internment camps.

We need to take almost similar mitigations with computers these days…

But doing so has a cost a very large cost just as it does with human prisoners, and it’s not one many would wish to incure if they could avoid it. Whilst that was once possible the reality these days is that commodity computers are designed to be the spys and turncoats in our midst…

How we deal with it depends on what our specific needs are. But as with humans segregation and the limiting of communications form the basis of it all. Which tends to reduce a computers utility thus a balance has to be sort, that in turn has to be evaluated constantly.

Fairly easy to say, not at all easy to do, even for those with knowledge and experience. The skill sets required are not generally found in more than a few people… Whilst teaching the skills is like most teaching a mixture of learning and applying, the mindset realy only comes about by being “battle hardened”, and it’s not the way most people would want to go about aquiring a skill.

Who? January 15, 2021 9:58 AM

@Clive Robinson

I agree with you, older systems seem more secure than current ones. A decade ago, devices were mostly “predictable” in the sense you were reasonably secure they were turned off, and there were no tiny computers running in parallel on them.

Said that, a lot of computers can be reasonably hardened. Most of my Dell computers have been “ME disabled” at factory, and do not support S1 suspend mode. The network port LEDs are not blinking when the computer has been powered off, so I think they are not listening to Ethernet frames. At least I hope so.

Some Lenovo ThinkCentre desktops have an advanced power saving mode that disables the integrated NIC when the computer is turned off too.

A good starting point may be the UEFI Secure Boot Customization NSA’s cybersecurity technical report.

I tend to mix architectures too, to minimise the impact of hardware backdoors. My firewalls are (mostly) based on Cavium Octeon processors. This network has a mix of MIPS, SPARC, Alpha, x86 and amd64 architectures inside.

Windows is a truly poor choice as operating system, as other commercial operating systems and software tools. I prefer a combination of OpenBSD (the operating system that runs on most of these computers) and, in those cases OpenBSD is not a good choice as a consequence of some very odd hardware requirement, Linux.

I know that, at this point, my “ransom knights” are just promising not to escape. Other security layers are required, including some sort of “garden path” with an IDS carefully listening in the DMZ while ready to cut communications from the internal firewall. I guess it is the best we can do.

Lukasz January 20, 2021 5:33 PM

I am writing this post for an Applied Cryptography course. Seems crazy to me that such a flaw found its way into a final piece of software and that it was an intentional design choice. Even as a student I can see several issues with having such high privileges encoded as a plain text binary.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.