Secret Backdoor Discovered on Zyxel Firewall and AP Controllers (CVE-2020-29583)

Secret Backdoor Discovered on Zyxel Firewall and AP Controllers (CVE-2020-29583)

Secret backdoor discovered on Zyxel Firewall and AP controllers that could allow attackers to gain administrative management rights on the devices running the vulnerable firmware.

Overview

“Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.”

Description

Researchers from EYE (Netherlands) reported a secret backdoor on Zyxel devices (Firewalls and AP Controlled) running firmware version 4.60. The vulnerability, identified as CVE-2020-29583, stems from hardcoded credentials that allow attackers to gain administrative management access on the vulnerable devices via SSH or web interface.

The secret backdoor account “zyfwp” with the password “Pr*******Xp” is stored in plaintext in the code of the firmware. Since full credentials have been also released publicly by news channels, these credentials could be used by attackers to login to the SSH or the web interface to manage the devices with administrative rights.

$ ssh zyfwp@192.168.1.252
Password: Pr*******Xp
Router>

Affected products that run the vulnerable firmware version 4.60 are as follows:

  • ATP series running firmware ZLD v4.60 – Firewall
  • USG series running firmware ZLD v4.60 – Firewall
  • USG FLEX series running firmware ZLD v4.60 – Firewall
  • VPN series running firmware ZLD v4.60 – Firewall
  • NXC2500 running firmware v6.00 through v6.10
  • NXC5500 running firmware v6.00 through v6.10

Impact

A local attacker can gain administrative access rights on the effected devices via authenticating through SSH or web interface using the hardcoded plaintext credentials.  

Impact Summary

Category: Secret Backdoor
CVSS 3.1 Base Score: 7.8 High
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Solution (Update)

Affected versions should be patched with the firmware patches released by the Zyxel to address the discovered vulnerability.

Quote by Art Wittmann

As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.

Art Wittmann

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?