Very High
CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds
CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds
Description
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
Add Assessment
Technical Analysis
A hardcoded username of zyfwp with password PrOw!aN_fXp exists on Zyxel ATP, USG, USG Flex, and VPN firewalls running firmware versions prior to ZLD v4.60 Patch 1. Additionally NXC2500 and NXC5500 AP controllers running firmware versions prior to v6.10 Patch 1 are also affected. The zyfwp account was designed to deliver automatic firmware updates to connected access points via FTP. This means that it has administrative privileges and could be used to compromise the firewall itself and change its settings to allow the attacker to gain further access into an organization’s network.
Security researchers discovered that this account existed, along with its plaintext hardcoded password, whilst looking through the firmware of affected devices, as discussed at https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html.
Note that there has been increased exploitation of this vulnerability in the wild as of January 6th as noted at https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/ and https://isc.sans.edu/diary/26954.
CVSS V3 Severity and Metrics
General Information
Vendors
- zyxel
Products
- usg110 firmware 4.60,
- usg1100 firmware 4.60,
- usg1900 firmware 4.60,
- usg20-vpn firmware 4.60,
- usg20w-vpn firmware 4.60,
- usg210 firmware 4.60,
- usg2200 firmware 4.60,
- usg310 firmware 4.60,
- usg40 firmware 4.60,
- usg40w firmware 4.60,
- usg60 firmware 4.60,
- usg60w firmware 4.60,
- zywall110 firmware 4.60,
- zywall1100 firmware 4.60,
- zywall310 firmware 4.60
Exploited in the Wild
References
Miscellaneous
Technical Analysis
Description
On Wednesday, December 23, 2020, Zyxel released a security advisory for CVE-2020-29583, a “hardcoded credential vulnerability” in its firewall and AP controller products. The vulnerability was discovered by Niels Teusink of EYE.
According to Zyxel, the account with hardcoded credentials was designed to deliver automatic firmware updates to connected access points through FTP. Teusink determined that the account had admin privileges and was accessible via both the device’s web interface and its SSH service, leading to a complete compromise of the device’s management functionality.
As of January 6, 2021, SANS reports that CVE-2020-29583 is being actively exploited in the wild.
Affected products
The following table was provided by Zyxel.
| Affected product series | Patch available in |
|---|---|
| Firewalls | |
| ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| AP controllers | |
| NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
| NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
Rapid7 analysis
The zyfwp user is a Unix user with password PrOw!aN_fXp. The user can log in to an affected Zyxel device’s web interface and SSH service. Admin access to a management interface is granted.
Guidance
Zyxel has provided an FAQ detailing how to mitigate the risk posed by CVE-2020-29583. Rapid7 strongly recommends that Zyxel customers upgrade their firmware to the latest available version.
