Zyxel recently announced a security issue concerning its USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware.

An aggressor capable of accessing the admin login from WAN can insert a new routing policy and new backdoor admin users. A full write-up and remediation process can be found here.

Currently, there’s no fix.

In the meantime, here’s how to disable admin access to console from WAN.

WARNING:

Once you take this step, you’ll have to access the web console from LAN so you’ll need to be behind the firewall to address it until you re-enable HTTPS on the WAN Service Group. You’ll want to do this on the LAN using a local machine, or, through using a VPN connection behind the firewall.

1. Login to the Zyxel as Admin.

2. Go to Configuration > Object > Service.

3. Select the Service Groups Tab.

4. Find the Default Allow WAN to Zywall Policy.

If HTTPS is in the Member Service Group, select HTTPS and remove it.

Strike the OK button and the configuration will be saved.

Your Zywall is now protected from the attack.

Recommendations from Here

1. Walk through the remediation article I cited above to see if your Zyxel product was affected by the attack.
   

2. Take the necessary remediation steps or prove that your device wasn’t affected.
   

3. Update your device’s firmware.

My Advice: Don’t trust the Cloud Update procedure inside of the device.

I find the Cloud Update in the GUI misreports highest firmware versions.

Confirm the actual version for your product by logging in to portal.myzyxel.com, accessing My Devices, and attempt to download the latest firmware. Compare version numbers for the active and standby partition.

If you need to update, upload the firmware manually to the standby partition with the option not to reboot when prompted.

The Zyxel should start the upload process (be patient, it’ll take a while) and it shouldn’t reboot on you (I’ve had several USG40’s that rebooted regardless).

If the device doesn’t auto-reboot, afterwards on your own schedule, reboot the device.

It’ll take the newer firmware in the standby partition as active, putting you on the latest release.

As of this time/date, Zyxel doesn’t have a fix yet but you’d want to repeat this procedure to manually update the fix firmware once it’s released. You should then be able to re-add HTTPS to the WAN Service Group.

R

Yesterday I got an urgent call from one of my small business clients in Portland, Oregon.

They had a Windows computer that failed and had entered recovery mode. That means it wouldn’t boot and they couldn’t use the machine - a huge problem because this was a counter computer that helped run their point-of-sale (POS) software. They needed this thing up to ring in their sales! Yikes!

So when I arrived, I used a couple of tools to try to diagnose and repair the system.

I popped in to a command prompt and issued a few commands to check and repair its system files, to check the disk and repair it, and to fix the master boot record of the machine.

I then powered the system down and turned it back on. It then mounted its disk and launched the o/s. We got back in to the desktop and could start ringing up customers.

Huzzah!

Now, the machine was under a professional warranty and could have been repaired by the OEM by dispatching a technician, have them wipe the machine, reinstall its operating system, drives, and applications; a process that could have taken a few days. Ich - a few days!

Myself, that fix took about an hour.

Why?

Because I knew how to run these steps because of experience.

I’ve got 30+ years of experience with microcomputers … experience that goes beyond knowing what buttons to push during a recovery process. It’s this experience that I bring to every engagement that helps reduce time and extend value to my clients, to get them back and running as quickly as possible without having to wait for a traditional support process which may be well-intentioned yet time-consuming.

If you’d like that kind of IT support for your small business, please give me a ring!

R

First, you’ll want to make sure that your Chromebook/Chromebox can support the Linux shell.

Next, you’ll want to enable the Linux Shell (beta) on your Chromebook. Through enabling this feature, you’re installing a virtual machine running each application within it’s own private sandbox.

You should allocate a minimum of 5GB of drive space to your new VM; options for the VM can be managed within Chrome OS Settings.

Then we’ll perform a number of technical steps to update the repository keys used by the Crostini Project.

From your Chrome OS start, open terminal, and run:

sudo apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com

Now we’re going to do package updates:

sudo apt update && sudo apt upgrade

Now, after all this, you’re ready to install apps by command line within terminal. Those applications would then appear in Chrome OS Start, Software.

However, some users may want to use a graphic user interface to browse and install Linux software. So let’s install Gnome with this command within terminal:

sudo apt-get install gnome-software gnome-packagekit -y

After Gnome is installed, close terminal and entirely reboot your Chromebook. Once it’s back up, go back into terminal and execute:

sudo apt-get upgrade -y

You’re almost done. Complete another reboot and return to Chrome OS to access it’s start then Software app. Be patient - your Linux VM is spinning up to present Gnome to you.

And from here, you can navigate with a GUI to find applications, install them, remove them, and run them via the Software section of Chrome OS.

Remember that there’s a performance hit for running these applications within the VM. You’ll want to open Linux applications sparingly, especially if you’re running on a lesser processor and have limited RAM.