SoylentNews

fliptop [soylentnews.org] writes:

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices [eyecontrol.nl] via either the SSH interface or the web administration panel:

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here [zyxel.com] and the Zyxel advisory here. [zyxel.com]

[...] When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account 'zyfwp' with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.

$ ssh [email protected]
Password: Pr*******Xp
Router> show users current
No: 1
Name: zyfwp
Type: admin
(...)
Router>

The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow [zyxel.com]) so you should still update.

Also on ZDNet [zdnet.com].

Original Submission