A story from the Netherlands cybersecurity firm Eye reports more than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel:
TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here and the Zyxel advisory here.
[...] When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account 'zyfwp' with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.
$ ssh [email protected]
Password: Pr*******Xp
Router> show users current
No: 1
Name: zyfwp
Type: admin
(...)
Router>
The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.
Release notes for a fix are available on Zyxel's FTP site as a .PDF file.
Also on ZDNet.
(Score: 2, Insightful) by Anonymous Coward on Tuesday January 05, @12:21AM (2 children)
If you are fortune-500 corp, you should hire decent IT staff to cook up a custom firewall.
Too bad, MBAs, particularly the finance/accounting types, hate IT pros. They think they can simply buy some shits and consultants from snake-oil vendors, and wouldn't you know, these vendors are also run by the same MBA types.
(Score: 2) by FatPhil on Tuesday January 05, @01:09AM (1 child)
(yes, that was sarcasm)
I know I'm God, because every time I pray to him, I find I'm talking to myself.
(Score: 0) by Anonymous Coward on Tuesday January 05, @04:13AM
You are wrong. Juniper is the way to go.
(Score: 3, Funny) by Runaway1956 on Tuesday January 05, @12:24AM (2 children)
It's comforting to many, to know that some random kid halfway around the world can administer that complicated box on the shelf.
#lockhimup #notmypresident #resistance #impeachhimnow #walkaway
(Score: 0, Offtopic) by Anonymous Coward on Tuesday January 05, @12:38AM
That's what your 2nd Mendment is for, Runaway!
(Score: 0) by Anonymous Coward on Tuesday January 05, @11:00PM
As opposed to the perpetually half drunk old dude with memory lapses next to you?
(Score: 0) by Anonymous Coward on Tuesday January 05, @12:25AM
(grin)
(Score: 1, Funny) by Anonymous Coward on Tuesday January 05, @02:51AM (4 children)
Is it possible this is how the Dems managed to steal the election without leaving any evidence? The lack of a denial is telling.
(Score: 0) by Anonymous Coward on Tuesday January 05, @04:11PM (3 children)
I suppose one could argue that the lack of tamper resistant measures to make cheating more detectable is evidence of cheating. The only reason to be against tamper resistant elections is if you plan to cheat. So the lack of tamper resistance built into the voting process could be considered evidence of cheating. If you have nothing to hide then you should have no problems proving it by being in favor of tamper resistant elections.
Tamper resistant elections should be a given, it's not something we can just vote for because if the integrity of the elections themselves are in question what's the point of voting to fix it.
(Score: 0) by Anonymous Coward on Tuesday January 05, @04:26PM (2 children)
The fact that so many judges dismissed so many lawsuits is proof that the Deep State has permeated the entire System. Time to bring it all down, amirite? And pay down the national debt, amitite? Thoughts and prayers for COVID/guns/poor/uninsured/homeless.
(Score: 0) by Anonymous Coward on Tuesday January 05, @04:46PM (1 child)
Which misses the point. If tamper resistance measures are absent then cheating is more difficult to detect. So if cheating is less detectable and it did happen then there is little point in even bringing it to court to try and prove that cheating happened (it's not detectable) and to argue in favor of who really won the elections because no one really knows who won the elections or if cheating did or didn't happen. So what are the courts supposed to even try?
Tamper resistance should be built into the system. Unless you plan to cheat you should be in favor of tamper resistance if you really have nothing to hide. The only reason to be against it is if you plan to cheat. Prove you have nothing to hide. If you are unwilling to do so then it's reasonable to assume that you plan to cheat and that itself is evidence of cheating.
(Score: 0) by Anonymous Coward on Tuesday January 05, @04:52PM
The lack of tamper resistance is evidence of cheating but it's not something you can really bring to a court because the only reasonable remedy they can rule in favor of would be to re-conduct the elections with tamper resistance in place and that's not really going to happen. They can't remedy the situation by choosing a winner themselves because that's not a remedy.