How to Disable Admin Access to Zyxel from WAN

Zyxel recently announced a security issue concerning its USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware.

An aggressor capable of accessing the admin login from WAN can insert a new routing policy and new backdoor admin users. A full write-up and remediation process can be found here.

Currently, there’s no fix.

In the meantime, here’s how to disable admin access to console from WAN.

WARNING:

Once you take this step, you’ll have to access the web console from LAN so you’ll need to be behind the firewall to address it until you re-enable HTTPS on the WAN Service Group. You’ll want to do this on the LAN using a local machine, or, through using a VPN connection behind the firewall.

  1. Login to the Zyxel as Admin.

  2. Go to Configuration > Object > Service.

  3. Select the Service Groups Tab.

  4. Find the Default Allow WAN to Zywall Policy.

Screenshot 2021-06-24 7.19.20 AM.png

If HTTPS is in the Member Service Group, select HTTPS and remove it.

Screenshot 2021-06-24 7.19.26 AM.png

Strike the OK button and the configuration will be saved.

Your Zywall is now protected from the attack.

Recommendations from Here

  1. Walk through the remediation article I cited above to see if your Zyxel product was affected by the attack.

  2. Take the necessary remediation steps or prove that your device wasn’t affected.

  3. Update your device’s firmware.

My Advice: Don’t trust the Cloud Update procedure inside of the device.

I find the Cloud Update in the GUI misreports highest firmware versions.

Confirm the actual version for your product by logging in to portal.myzyxel.com, accessing My Devices, and attempt to download the latest firmware. Compare version numbers for the active and standby partition.

If you need to update, upload the firmware manually to the standby partition with the option not to reboot when prompted.

The Zyxel should start the upload process (be patient, it’ll take a while) and it shouldn’t reboot on you (I’ve had several USG40’s that rebooted regardless).

If the device doesn’t auto-reboot, afterwards on your own schedule, reboot the device.

It’ll take the newer firmware in the standby partition as active, putting you on the latest release.

As of this time/date, Zyxel doesn’t have a fix yet but you’d want to repeat this procedure to manually update the fix firmware once it’s released. You should then be able to re-add HTTPS to the WAN Service Group.

R

Russell Mickler

Russell Mickler is a computer consultant in Vancouver, WA, who helps small businesses use technology better.

https://www.micklerandassociates.com/about
Previous
Previous

Protecting Your Systems in 2022

Next
Next

2021 Phishing Presentation