Description
On Wednesday, December 23, 2020, Zyxel released a security advisory for CVE-2020-29583, a “hardcoded credential vulnerability” in its firewall and AP controller products. The vulnerability was discovered by Niels Teusink of EYE.
According to Zyxel, the account with hardcoded credentials was designed to deliver automatic firmware updates to connected access points through FTP. Teusink determined that the account had admin privileges and was accessible via both the device’s web interface and its SSH service, leading to a complete compromise of the device’s management functionality.
As of January 6, 2021, SANS reports that CVE-2020-29583 is being actively exploited in the wild.
Affected products
The following table was provided by Zyxel.
| Affected product series | Patch available in |
|---|---|
| Firewalls | |
| ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| AP controllers | |
| NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
| NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
Rapid7 analysis
The zyfwp user is a Unix user with password PrOw!aN_fXp. The user can log in to an affected Zyxel device’s web interface and SSH service. Admin access to a management interface is granted.
Guidance
Zyxel has provided an FAQ detailing how to mitigate the risk posed by CVE-2020-29583. Rapid7 strongly recommends that Zyxel customers upgrade their firmware to the latest available version.
References
- https://www.zyxel.com/support/CVE-2020-29583.shtml
- https://businessforum.zyxel.com/discussion/5400/what-you-should-know-about-cve-2020-29583-and-actions-to-take-to-mitigate-the-risk
- https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
