Expert found Backdoor credentials in ZyXEL LTE3301 M209

The cybersecurity researcher RE-Solver discovered Backdoor credentials in ZyXEL LTE3301-M209 LTE indoor routers.

Security researcher ReSolver announced the discovery of hardcoded credentials (CVE-2022-40602) in ZyXEL LTE3301-M209 LTE indoor routers.

In previous research, the expert discovered a Telnet backdoor in D-Link DWR-921 which is also present in the ZyXEL LTE3301-M209 as well.

The researcher analyzed the commander ELF, focusing on the amit* functions that were containing the backdoor in D-Link routers.
Unlike the D-Link analysis, the researchers has no physical access to the device and attempted to retrieve the password from the config.

“The firmware is basically a merge of 3 sections, the LZMA section is the kernel, at 0x148CD6 the root-fs and at 0x90BD36 the www content.” wrote the expert. “Inside the last Squashfs there is a [censored] file which is contains at 0x10 the Zlib magic bytes.”

Once unpacked the file, ReSolver noticed the following sequence:

Despite he did not find Telnet credentials, he discovered something which looks like a backdoor in the webUI.

“Same as before and unpack the config.dat is going to contain the telnet login password” states the expert. “Let’s put things together: On ZyXEL LTE3301 we have two ways to own the device:

webUI credentials –> ~~username / WebUIFakePassword~~
telnet credentials –> root / ~~TelnetFakePassword~~

Owners of impacted devices have to upgrade them with the latest firmware release as soon as possible.

Below is the timeline for this issue:

12 Sep 2022: Vulnerability reported to ZyXEL
13 Sep 2022: ZyXEL asks for detail in order to replicate the vulnerability.
13 Sep 2022: Details sent to ZyXEL.
14 Sep 2022: ZyXEL confirms that the issues only affect the LTE3301-M209 model. They’re working to the vendor to fix it. They ask to keep the information confidential until the patch has been released.
17 Sep 2022: Waiting for the patch.
19 Oct 2022: The issue is now tracked by CVE-2022-40602
22 Nov 2022: ZyXEL’s security bullettin published. A firmware fix has been released.
24 Dec 2022 Hopefully users has now updated their own devices, It’s time to make my blog post public.

The expert and the Zyxel PSIRT decided to avoid disclosing the credentials the prevent massive exploitation in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ZyXEL LTE3301-M209)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.