Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds

Disclosure Date: December 22, 2020
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

https://nvd.nist.gov/vuln/detail/CVE-2020-29583

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

A hardcoded username of zyfwp with password PrOw!aN_fXp exists on Zyxel ATP, USG, USG Flex, and VPN firewalls running firmware versions prior to ZLD v4.60 Patch 1. Additionally NXC2500 and NXC5500 AP controllers running firmware versions prior to v6.10 Patch 1 are also affected. The zyfwp account was designed to deliver automatic firmware updates to connected access points via FTP. This means that it has administrative privileges and could be used to compromise the firewall itself and change its settings to allow the attacker to gain further access into an organization’s network.

Security researchers discovered that this account existed, along with its plaintext hardcoded password, whilst looking through the firmware of affected devices, as discussed at https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html.

Note that there has been increased exploitation of this vulnerability in the wild as of January 6th as noted at https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/ and https://isc.sans.edu/diary/26954.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Technical Analysis

Description

On Wednesday, December 23, 2020, Zyxel released a security advisory for CVE-2020-29583, a “hardcoded credential vulnerability” in its firewall and AP controller products. The vulnerability was discovered by Niels Teusink of EYE.

According to Zyxel, the account with hardcoded credentials was designed to deliver automatic firmware updates to connected access points through FTP. Teusink determined that the account had admin privileges and was accessible via both the device’s web interface and its SSH service, leading to a complete compromise of the device’s management functionality.

As of January 6, 2021, SANS reports that CVE-2020-29583 is being actively exploited in the wild.

Affected products

The following table was provided by Zyxel.

Affected product series Patch available in
Firewalls
ATP series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
AP controllers
NXC2500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021

Rapid7 analysis

The zyfwp user is a Unix user with password PrOw!aN_fXp. The user can log in to an affected Zyxel device’s web interface and SSH service. Admin access to a management interface is granted.

Guidance

Zyxel has provided an FAQ detailing how to mitigate the risk posed by CVE-2020-29583. Rapid7 strongly recommends that Zyxel customers upgrade their firmware to the latest available version.

References