Zyxel recently announced a security issue concerning its USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware.

An aggressor capable of accessing the admin login from WAN can insert a new routing policy and new backdoor admin users. A full write-up and remediation process can be found here.

Currently, there’s no fix.

In the meantime, here’s how to disable admin access to console from WAN.

WARNING:

Once you take this step, you’ll have to access the web console from LAN so you’ll need to be behind the firewall to address it until you re-enable HTTPS on the WAN Service Group. You’ll want to do this on the LAN using a local machine, or, through using a VPN connection behind the firewall.

1. Login to the Zyxel as Admin.

2. Go to Configuration > Object > Service.

3. Select the Service Groups Tab.

4. Find the Default Allow WAN to Zywall Policy.

If HTTPS is in the Member Service Group, select HTTPS and remove it.

Strike the OK button and the configuration will be saved.

Your Zywall is now protected from the attack.

Recommendations from Here

1. Walk through the remediation article I cited above to see if your Zyxel product was affected by the attack.
   

2. Take the necessary remediation steps or prove that your device wasn’t affected.
   

3. Update your device’s firmware.

My Advice: Don’t trust the Cloud Update procedure inside of the device.

I find the Cloud Update in the GUI misreports highest firmware versions.

Confirm the actual version for your product by logging in to portal.myzyxel.com, accessing My Devices, and attempt to download the latest firmware. Compare version numbers for the active and standby partition.

If you need to update, upload the firmware manually to the standby partition with the option not to reboot when prompted.

The Zyxel should start the upload process (be patient, it’ll take a while) and it shouldn’t reboot on you (I’ve had several USG40’s that rebooted regardless).

If the device doesn’t auto-reboot, afterwards on your own schedule, reboot the device.

It’ll take the newer firmware in the standby partition as active, putting you on the latest release.

As of this time/date, Zyxel doesn’t have a fix yet but you’d want to repeat this procedure to manually update the fix firmware once it’s released. You should then be able to re-add HTTPS to the WAN Service Group.

R

Phishing is one of the most significant cyber security threats facing small to mid-range businesses. Here is our 2021 Phishing Presentation addressing those threats, how to spot them, and who the actors are behind them.

Yesterday I got an urgent call from one of my small business clients in Portland, Oregon.

They had a Windows computer that failed and had entered recovery mode. That means it wouldn’t boot and they couldn’t use the machine - a huge problem because this was a counter computer that helped run their point-of-sale (POS) software. They needed this thing up to ring in their sales! Yikes!

So when I arrived, I used a couple of tools to try to diagnose and repair the system.

I popped in to a command prompt and issued a few commands to check and repair its system files, to check the disk and repair it, and to fix the master boot record of the machine.

I then powered the system down and turned it back on. It then mounted its disk and launched the o/s. We got back in to the desktop and could start ringing up customers.

Huzzah!

Now, the machine was under a professional warranty and could have been repaired by the OEM by dispatching a technician, have them wipe the machine, reinstall its operating system, drives, and applications; a process that could have taken a few days. Ich - a few days!

Myself, that fix took about an hour.

Why?

Because I knew how to run these steps because of experience.

I’ve got 30+ years of experience with microcomputers … experience that goes beyond knowing what buttons to push during a recovery process. It’s this experience that I bring to every engagement that helps reduce time and extend value to my clients, to get them back and running as quickly as possible without having to wait for a traditional support process which may be well-intentioned yet time-consuming.

If you’d like that kind of IT support for your small business, please give me a ring!

R