Recently disclosed CVE-2020-29583 Zyxel flaw already under opportunistic attack

Threat actors are attempting to hack Zyxel devices exploiting the recently disclosed vulnerability CVE-2020-29583, security researchers warn.

The Taiwanese vendor Zyxel has recently addressed a critical vulnerability in its firmware, tracked as CVE-2020-29583, related to the presence of a hardcoded undocumented secret account. The vulnerability received a CVSS score of 7.8, it could be exploited by an attacker to login with administrative privileges and take over the networking devices.

“Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware.” reads the advisory published by NIST. “This account can be used by someone to login to the ssh server or web interface with admin privileges.”

The CVE-2020-29583 flaw affects the firmware version 4.60 that is used by multiple Zyxel devices.

The vendor removed all vulnerable firmware versions from its cloud and website, except for USG FLEX 100W/700 due to base FW upgrade. 

Impacted devices include Unified Security Gateway (USG), ATP, USG FLEX and VPN firewalls products.

According to the vendor, the hidden account was used to deliver automatic firmware updates to connected access points through FTP.

Unfortunately a few days after the disclosure of the flaw threat actors started attempting exploiting it.

Security experts observed a small number of attacks attempting to trigger the CVE-2020-29583 flaw.

Security experts from threat intelligence firm GreyNoise are observing the attempts to access the vulnerable device using the Zyxel undocumented account since early January.

According to GreyNoise, the attacks are opportunistic exploitation of the Zyxel backdoor, threat actors are also crawling SOHO Routers exposed online.

At the time of this writing, the attacks have yet to be attributed to a specific threat actor.

The vulnerability was discovered by the security researcher Niels Teusink from EYE.

The expert discovered an undocumented account (“zyfwp”) with the password “PrOw!aN_fXp” stored in plaintext. The credentials could be also used by a malicious third-party to login to the SSH server or web interface with admin privileges.

“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system.” reads the post published by Teusink. “I was even more surprised that this account seemed to work on both the SSH and web interface.”

$ ssh zyfwp@192.168.1.252
Password: Pr*******Xp
Router> show users current
No: 1
  Name: zyfwp
  Type: admin
(...)
Router>

The expert pointed out that the user is not visible in the device’s interface and its password cannot be changed.

Teusink also revealed that more than 100,000 Zyxel devices have exposed the Web interface to the Internet, he added that around 10% of 1000 devices in the Netherlands run a vulnerable version of the firmware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

[adrotate banner=”5″]

[adrotate banner=”13″]