Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT Technology

Backdoor Account Discovered in More Than 100,000 Zyxel Firewalls, VPN Gateways (zdnet.com) 74

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. From a report: The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities. Device owners are advised to update systems as soon as time permits. Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.
This discussion has been archived. No new comments can be posted.

Backdoor Account Discovered in More Than 100,000 Zyxel Firewalls, VPN Gateways

Comments Filter:
  • Wrong advice (Score:5, Insightful)

    by Aethedor ( 973725 ) on Saturday January 02, 2021 @05:13AM (#60886808)

    Device owners are advised to update systems as soon as time permits.

    How about throw it in the trashcan and buy a new one from a more trustworthy manufacturer? This is totally unacceptable!

    • Re:Wrong advice (Score:5, Interesting)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday January 02, 2021 @05:41AM (#60886850) Homepage Journal

      If it can't run openwrt or similar, it's poop.

      Not only can't you trust it, but you can't keep it updated for the lifetime of the device, the manufacturer never keeps up with that stuff for long enough.

    • by AmiMoJo ( 196126 )

      You can't trust any of them.

      Either build your network so it doesn't have to trust these devices, or roll your own with a mini PC and PFSense.

      • Anywhere you are using someone elseâ(TM)s code is a window of vulnerability. This is why open source is so much more preferred over proprietary in my book because the more exposed the code, the more eyes that can find the flaws and point others to get them fixed. With proprietary itâ(TM)s catch as catch can. And obfuscation. Until someone finds the flaw, and it gets exploited widely.
    • from a more trustworthy manufacturer

      Like who? Cisco?

      • That's who I got mine from (Linksys WRT1200AC).

        But I bought it because I could load openwrt on it.

        Vendor is less important than whose distribution you're running...except when the vendor makes that impossible or improbable.

    • Why does it need to run SSH anyhow?

  • by chr1973 ( 711475 ) on Saturday January 02, 2021 @05:18AM (#60886822)

    I don't have a Zyxel device, so this vulnerability doesn't affect me. It did make me think though.

    Is there any service or software that can make it somewhat easy to check if your devices (or your relatives' devices) have known vulnerabilities?

    I don't think I'd want to share a list of all my devices and firmware versions with a 3rd party service though.
    So I'd probably prefer to keep the device data local, but I would like something that allows me to (anonymously) check for vulnerabilities.

    Hmm, is there an online database of devices and firmware versions with vulnerabilities? Might be a little to helpful for hackers though:-(

    • nessus has a free home edition that scans for vulnerbilities google tenable nesses
      • by chr1973 ( 711475 )

        It wouldn't help with the devices in the networks of my parents/aunt/brother etc.

        Further, I'd be hesitant running 3rd party SW that scans my network and then possibly phones home...

        It would however be useful with a tool (open source?) that helps me compile a list of devices. Then again, the number of devices isn't that large - I could likely write down the information quicker than it'd take me to find/install/run such a tool.

      • by chr1973 ( 711475 )

        Link for Nessus: https://en.wikipedia.org/wiki/... [wikipedia.org] where it says:

        Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. (NASDAQ: TENB) ...
        The Nessus 2 engine and a minority of the plugins are still GPL, leading to forked open source projects based on Nessus like OpenVAS and Porz-Wahn

      • by Slayer ( 6656 )

        Nessus is all fine and dandy, but does not protect from these blatant backdoors until they are reported, and reported they are when they are found. There were hard coded backdoors in Cisco's line of products, in Juniper's line of products, in some of Netgear's products, so you basically have two options:

        • 1. Get any device from a "reputable" (see the above) vendor, hope for updates to come out in a timely fashion (they won't) and keep that device running until an unusually long interval since the last update
        • I may be an idiot, but a simple port scan is going to show an open SSH port. That's pretty trivial to do from Linux or BSD. That won't catch "phone home" style vulnerabilities, but if there's an undocumented listener on a device, a deep port scan is going to find it in most cases.

          • I imagine that a port knocking scheme of some kind is used with these backdoors. It would never be as obvious as an open SSH port, would it?

            For devices that are expected to provide ssh access, the backdoor would take the form of a hidden/undocumented account, so again there would be no way to scan for something like this.

            • Not really. I would expect SSH to be open on a router, firewall, VPN device etc. else how do you expect me to admin the device. What we have here is hardcoded username/password combinations that give admin level access. No amount of network scanning is going to help in this scenario till they have been uncovered. I would expect Nessus scan to start flagging the devices soon now.

    • by chr1973 ( 711475 )

      Another use case:

      I have an old device, e.g an Apple TV 3, and _before_ connecting it to my network I would like to know if:
      a) Does it have known vulnerabilities and what are they?
      b) Has updated firmware been released, or is the device abandoned?
      c) How to determine e.g. model number, hardware revision and firmware version version in the device

      With a database of vulnerable devices I could look up a) and b). Something that scans my network can't help me with this, because it requires first connecting the devi

    • by TheDarkRogue ( 245521 ) on Saturday January 02, 2021 @11:56AM (#60887604)

      Check out OpenVAS

      https://openvas.org/ [openvas.org]

  • by Viol8 ( 599362 ) on Saturday January 02, 2021 @05:22AM (#60886826) Homepage

    The devs who create the firmware are not stupid so why do they leave these obvious backdoors in? If it was only 1 manufacturer who'd done it I'd say it was incompetance and/or an internal hack of the firmware to plant it, but it happens too often so is obviously deliberate. Yes they probably need easy root access during development and testing but don't tell me they "forgot" to remove it. To me these seem deliberate acts and they don't care how it might affect their customers.

    • by Canberra1 ( 3475749 ) on Saturday January 02, 2021 @06:11AM (#60886880)
      I would mod up, but Cisco and others also did this - which is just contempt for the purchaser -but punter is a more apt word. Those living in countries with strong consumer protection, should return it to point of sale for a full refund. This is clearly a hidden and latent defect, now unfit for use. Failing that, small claims court. Just remember to ask WHY this insecure backdoor was retained after the earlier CSV. Reputational damage is here and now, so if it was a LE requirement, they should pony up the costs for defective product returns.
      • by AmiMoJo ( 196126 )

        It's because it keeps support costs down. When a customer calls Cisco because they can't get their device to work the Cisco staff can get in using the backdoor and sort it out. Doesn't matter if the customer changed all the passwords and then forget them, or if something got corrupted, the backdoor is hard coded.

        • by WatchMaster ( 613677 ) on Saturday January 02, 2021 @10:55AM (#60887470)

          Or because they are paid to put backdoors in so the same people who wanted clipper and key escrow can access the equipment.

        • Great, so hash the MAC address written on the bottom and base the back door password on that. Thereâ(TM)s no reason to have the same password for every device.

        • by gweihir ( 88907 )

          It's because it keeps support costs down. When a customer calls Cisco because they can't get their device to work the Cisco staff can get in using the backdoor and sort it out. Doesn't matter if the customer changed all the passwords and then forget them, or if something got corrupted, the backdoor is hard coded.

          Probably. Anything else makes very little sense. Once again, the customer gets what they pay for. But if you look, for example, at the lock industry, where gifted amateurs get into any lock, regardless of security levels within days of having gotten their hands on it, I guess a real security mind-set is just a very rare thing.

          • But if you look, for example, at the lock industry, where gifted amateurs get into any lock, regardless of security levels within days of having gotten their hands on it, I guess a real security mind-set is just a very rare thing.

            It's a very hard thing. When you build a commercial product you have considerations beyond "is this thing secure" and that is ultimately where the failures begin. You could make a more secure lock if you required the user to move the key more and differently, but the lock would be bigger and more expensive and harder to use. And we have locks like that, and we put them on bank vaults. And even those can be defeated, but it takes a lot more time and equipment.*

            Most people know dick about security and don't w

    • by Anonymous Coward

      I don't know one way or another if this is malevolent. But it is certainly possible for thousands of programmers to fuck up on security. Look up the CVE security vulnerability database, historically there have been thousands of bugs in windows & linux systems.
      Think of the loads of github trees that were discovered to have plaintext API keys.
      People fuck up security a lot because being quick & dirty gets you out the door faster, security is an afterthought. There are countless non-deliberate ways to f

      • Don't let coders get away with what's OBVIOUSLY and UNAMBIGUOUSLY bad practice. ALL SIMPLE AUTH BACK DOORS ARE BAD PRACTICE. Don't let weasel words distract from that. These flaws, by the sloth of the coders and all those that did QA work on the code, is MALEVOLENT. Don't BS around about it, don't let them escape the crap on their faces for doing such a thing. I don't care if their name is Cisco or Zyxel or SonicWall. There is no excuse; they should resign for having made their customers vulnerable. They fa

    • > Yes they probably need easy root access during development In many years of development, going from web sites to hardware stuff, I never needed a backdoor to have easy root access during development. I never planted backdoors in my softwares, I never attempted to lower the security of whatever I was doing... and I don't see why anyone would need to do it. IMO this stuff is made by "developers" who are explicitly planted inside big software vendors by organizations such as the NSA... and not for develo
      • To be fair these aren't really backdoors, they're hardcoded admin accounts. When you're working with an embedded system it's quite normal and handy to do this, so that you don't have to physically reflash a device when code breaks, and have an easy way to get in and analyze what's going on so you can fix it. But such things ought to be pretty blatently documented and not only removed from production code, the QA process for promoting updates to production should also include specific checks to ensure they w
        • To be fair these aren't really backdoors, they're hardcoded admin accounts. ...

          A hardcoded admin account is a very common type of backdoor.

        • How difficult is it to have a slightly different build for production that removes the backdoors?

          At my small software company, we have automated builds that differ slightly between production releases and internal test releases. We build and test the production release weekly also, so that the production releases are also tested and a production build can be released at any time.

    • but it happens too often so is obviously deliberate.

      I'd be hesitant to suggest that. I think you are making a very incorrect assumption that some genius wonderboy is responsible for bringing a product to market and nurturing it from concept design all the way to the customer's premises. In reality it's not one perfect superman, but rather 100 mediocre overworked drones whose goal in the workplace is to make it through to 5pm and clock out for the day, each giving just enough shits to make their paycheck, and each very much more than able to make a virtually

      • but it happens too often so is obviously deliberate.

        I'd be hesitant to suggest that. I think you are making a very incorrect assumption that some genius wonderboy is responsible for bringing a product to market and nurturing it from concept design all the way to the customer's premises. In reality it's not one perfect superman, but rather 100 mediocre overworked drones

        ...only one of whom has to be bribed to insert a back door, which should be easy because they are both overworked and underpaid (even for their level of talent.)

    • by Brama ( 80257 )

      What's worse is that Zyxel had a 2016 CVE for having a hardcoded plain text password in the firmware to elevate privileges of any user. This one's worse as it doesn't even need a non-privileged user, and in fact even works on the built in HTTPS server's admin interface. And these are mostly corporate devices too. This level of not giving a fuck when you're in that business should end said business.

  • Mine has been lost for years. Maybe it's time for responsible people to put ZyXEL on their personal and corporate blacklist too.

  • This Taiwanese company is doing what Huawei has been accused of but without any proof at all. With Huawei devices been junked by executive order, this is one of the companies picking up the slack and it's not even the first time they (Zyxel) have pulled a stunt like this.
    I'm assuming someone like the NSA has been looking at Huawei devices, trying to find holes like these. They have not found any so far, time to rescind that executive order.
    Oh, and maybe - just maybe - Zyxel are the victims here, think of

    • by Entrope ( 68843 ) on Saturday January 02, 2021 @07:59AM (#60887052) Homepage

      Huawei backdoors were found more than a decade ago [bloomberg.com], and Huawei lied about fixing them.

    • by Gilesx ( 525831 )
      Jinping, is that you?
      • Having looked up Jinping with a search engine, nope. My point was that all these claims against Huawei are hot air by politicians with an axe to grind, I have not seen one single CVE number.
        As to Entrope's comment, I followed your link and it did say that the issue had later been resolved to their satisfaction.

        There was an article here around a year ago going into Samsung's TV OS, it might possibly be called Baidu. It was apparently written by people who had absolutely no idea about security best (or any

  • And more than 100000 people need to be reimbursed for the extra work they have to do. Let's make it a good round $100 per device, paid to the actual customers, not lawyers or the government. If you show up with one of these devices at a store that sells Cisco gear, they record the serial number and pay you $100 cash.

    FFS, this shit needs to stop, especially at Cisco.

  • by mattyb83 ( 6758524 ) on Saturday January 02, 2021 @08:06AM (#60887068)
    meh, Cisco did it better (https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing)
  • The first thing i did was installing debian.

"We don't care. We don't have to. We're the Phone Company."

Working...