Zyxel Firewalls Borked By Buggy Update, On-Site Access Required For Fix (theregister.com) 14
Zyxel customers are facing reboot loops, high CPU usage, and login issues after an update on Friday went awry. The only fix requires physical access and a Console/RS232 cable, as no remote recovery options are available. The Register reports: "We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," Zyxel's advisory reads. "The system LED may also flash. Please note this is not related to a CVE or security issue." "The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions."
The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions -- installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode. Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.
The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions -- installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode. Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.
I see the problem (Score:2)
You failed to buy a Palo.
Re: Mission..Possible? (Score:3)
Security has arguably been improved now that the devices are bricked. No traffic will get through, wanted or not.
managed code and code management (Score:1)
Managed code has shown us that we should not be cared of the null hypothesis, and good precompiler should be able to check for thing like dealocs b being set to null, and memory allocation pairs without then need of Microsoft's interference. but where is this taking us infinite loops are also something a precompier can warn about, there's no excuse for sloppy code, i would expect that the deverlopers are missing all the computer warns and just skipping over them, oh why is my code pretty colours, all in all
Re: (Score:2)
Not to excuse this company's failure in any way, but managed code is typically not the #1 choice for firmware due to performance requirements, limited memory, real-time requirements making garbage collectors undesirable, and bare metal access. Static analyzers can help for sure, but regardless of what tech stack you use, you still need proper QE and QA, which I can't imagine was done in this case.
Zyxel still doing Zyxel things (Score:2)
Re: (Score:2)
Apaprently USRobotics suffered a complicated history but is still selling telecom gear under UNICOM parent brand:
With the reduced usage of voiceband modems in North America in the early 21st century, USR began branching out into new markets. The company purchased Palm, Inc. for its Pilot PDA, but was itself purchased by 3Com soon after. 3Com spun off USR again in 2000, keeping Palm and returning USR to the now much smaller modem market. After 2004 the company is formally known as USR. USR is now a division of UNICOM Global, and is one of the few providers left in the modem market today. The division employs about 125 people worldwide.[1]" https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
I ran a BBS in my teens. One of the modems was a ZyXEL. It was actually pretty decent. A lot better than the Supra. I never stretched the budget enough to buy any US Robotics gear. Most of these modems could not do V.23, unfortunately. I needed a separate ISA bus modem for that, which was pretty flaky.
Morons (Score:3)
I guess they did not notice the thing that happened to Cloudstrike last year. There is really no excuse to do updates without serious testing and redundancy and fallback mechanisms.
Re: (Score:2)
Define "serious" and give a very specific answer. In the security world such as anti-virus and firewalls there is a tradeoff between speed of response and reliability of solution. In many cases the overall risk to an organisation is lower with slightly reduced testing in favour of faster rollout preventing security issues.
Re: (Score:2)
Don't be an idiot. Well, I guess it is the only mode you have. What would have needed to be done is clear.
Re: Morons (Score:2)
Yup, move fast and break things is totally the way to go in the security world. /s
And in other news... (Score:1)
Zyxel's Second Assistant Vice President In Charge of Update Implementation has been hired by Microsoft to lead their Windows 11 Compulsory Update team.
Reading from a prepared statement to announce the appointment, Microsoft Human Resources Chief Steele Stonebollox said, "Microsoft is excited to push forward aggressively with our newest DEI hire. Our world class Destroyed Equipment Initiative will move boldly to the next level with Team Leader Roger Roundly taking control of a unit powerfully committed to
yay DRM! (Score:2)
those without valid security licenses are not affected.
As usual, DRM only fucks over the paying customers.