Anyone who uses Zyxel firewalls should bring them up to date quickly. Otherwise, attackers could log into devices directly over the Internet via SSH and access them with admin rights.

This scenario is now within reach , as attackers are currently actively scanning for SSH connections. If you come across a Zyxel SSH connection, you could log in with a known password due to the recently discovered backdoor account zwyfp.

The SANS Internet Storm Center reported about the scans in a message . The secure firmware 4. 60 Patch1 has been released for the firewalls of the ATP, USG, USD-Flex and VPN series. Security update 6. 10 Patch1 for the vulnerable access point controllers NXC 2500 and NXC 5500 is due to appear on January 8, according to a warning from Zyxel. VPN devices with SD-OS should not be affected by this.

General security tips In general, admin accounts only ever are accessible to a restricted group of people. In addition, one should avoid access via the Internet in order to reduce the attack surface. If it cannot be avoided, such remote access should be adequately secured and encrypted.

Admins must also ensure that the firmware of devices is always up to date. Where possible, such checks and installations should be automated.

A security researcher from the Dutch IT security company Eye came across the back door. Zyxel claims to have created the account for automatic firmware updates via FTP, which is not visible in the account management. The password is static and cannot be changed. Access via SSH and the web interface is also possible.

(des)