Expert found Backdoor credentials in ZyXEL LTE3301 M209

The cybersecurity researcher RE-Solver discovered Backdoor credentials in ZyXEL LTE3301-M209 LTE indoor routers.

Security researcher ReSolver announced the discovery of hardcoded credentials (CVE-2022-40602) in ZyXEL LTE3301-M209 LTE indoor routers.

In previous research, the expert discovered a Telnet backdoor in D-Link DWR-921 which is also present in the ZyXEL LTE3301-M209 as well. 

The researcher analyzed the commander ELF, focusing on the amit* functions that were containing the backdoor in D-Link routers.
Unlike the D-Link analysis, the researchers has no physical access to the device and attempted to retrieve the password from the config.

“The firmware is basically a merge of 3 sections, the LZMA section is the kernel, at 0x148CD6 the root-fs and at 0x90BD36 the www content.” wrote the expert. “Inside the last Squashfs there is a [censored] file which is contains at 0x10 the Zlib magic bytes.”

Once unpacked the file, ReSolver noticed the following sequence:

Despite he did not find Telnet credentials, he discovered something which looks like a backdoor in the webUI.

“Same as before and unpack the config.dat is going to contain the telnet login password” states the expert. “Let’s put things together: On ZyXEL LTE3301 we have two ways to own the device:

• webUI credentials –> username / WebUIFakePassword
• telnet credentials  –> root / TelnetFakePassword

Owners of impacted devices have to upgrade them with the latest firmware release as soon as possible.

Below is the timeline for this issue:

• 12 Sep 2022: Vulnerability reported to ZyXEL
• 13 Sep 2022: ZyXEL asks for detail in order to replicate the vulnerability.
• 13 Sep 2022: Details sent to ZyXEL.
• 14 Sep 2022: ZyXEL confirms that the issues only affect the LTE3301-M209 model. They’re working to the vendor to fix it. They ask to keep the information confidential until the patch has been released.
• 17 Sep 2022: Waiting for the patch.
• 19 Oct 2022: The issue is now tracked by CVE-2022-40602
• 22 Nov 2022: ZyXEL’s security bullettin published. A firmware fix has been released.
• 24 Dec 2022 Hopefully users has now updated their own devices, It’s time to make my blog post public.
  

The expert and the Zyxel PSIRT decided to avoid disclosing the credentials the prevent massive exploitation in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ZyXEL LTE3301-M209)

[adrotate banner=”5″]

[adrotate banner=”13″]