Flaws Riddle Zyxel’s Network Management Software
Experts have found tens of security vulnerabilities in Zyxel Network Management Software, including
backdoors and hardcoded SSH keys.
Security researchers Pierre Kim and Alexandre Torres have discovered several vulnerabilities Zyxel Cloud CNM SecuManager software that could expose users to cyber attacks.
The Zyxel Cloud CNM SecuManager is a comprehensive network management software that provides an integrated console to manage security gateways including the ZyWALL USG and VPN Series.
The experts have discovered 16 vulnerabilities, including default credentials to insecure memory storage and
Below the full list of issues discovered by the experts:
- Hardcoded SSH server keys
- Backdoors accounts in MySQL
- Hardcoded certificate and backdoor access in Ejabberd
- Open ZODB storage without authentication
- MyZyxel ‘Cloud’ Hardcoded Secret
- Hardcoded Secrets, APIs
- Predefined passwords for admin accounts
- Insecure management over the ‘Cloud’
- xmppCnrSender.py log escape sequence injection
- xmppCnrSender.py no authentication and clear-text communication
- Incorrect HTTP requests cause out of range access in Zope
- XSS on the web interface
- Private SSH key
- Backdoor APIs
- Backdoor management access and RCE
- Pre-auth RCE with chrooted access
“The attack surface is very large and many different stacks are being used it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.” reads the report published by the researchers
Giving a close look at the above list we can notice the presence of “Hardcoded SSH server keys” for the main host that could be used by attackers to launch MiTM attacks.
“By default, the appliance uses
Experts also discovered the presence of backdoor accounts in MySQL.
“MySQL is pre-configured with several static accounts. It only listens to the loopback interface.”
Experts also reported the use of predefined passwords for admin accounts.
Another bug is related to the use of insecure management over the cloud.
“By default, myzxel.pyc used for communication to the ‘Cloud’ uses some hardcoded variables for communication over HTTPS,” said the experts. “The function get_account_info uses the account_id, the jwt_secret and the jwt_secret_id… The jwt_secret and jwt_secret_id are generated as unique key for each appliance.”
Vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 – last updated in November 2018.
One of the researchers, Kim, explained that he did not disclose the vulnerabilities to Zyxel because he suspects that the vendor has intentionally introduced the
Zyxel confirmed that is currently investigating the issues disclosed by the experts and pointed out that the CloudCNM SecuManager is a used by a very limited number of customers.
At the time of writing the vendor has yet to publish any advisory on the vulnerabilities reported by the experts.
In February, Zyxel addressed a critical remote code execution vulnerability, tracked as CVE-2020-9054, that impacts several network-attached storage (NAS) devices, the issue is being exploited in the wild.