Experts disclose tens of flaws in Zyxel Cloud CNM SecuManager, includes dangerous backdoors

Flaws Riddle Zyxel’s Network Management Software

Experts have found tens of security vulnerabilities in Zyxel Network Management Software, including backdoors and hardcoded SSH keys.

Security researchers Pierre Kim and Alexandre Torres have discovered several vulnerabilities Zyxel Cloud CNM SecuManager software that could expose users to cyber attacks.

The Zyxel Cloud CNM SecuManager is a comprehensive network management software that provides an integrated console to manage security gateways including the ZyWALL USG and VPN Series.

The experts have discovered 16 vulnerabilities, including default credentials to insecure memory storage and backdoors.

Below the full list of issues discovered by the experts:

1. Hardcoded SSH server keys
2. Backdoors accounts in MySQL
3. Hardcoded certificate and backdoor access in Ejabberd
4. Open ZODB storage without authentication
5. MyZyxel ‘Cloud’ Hardcoded Secret
6. Hardcoded Secrets, APIs
7. Predefined passwords for admin accounts
8. Insecure management over the ‘Cloud’
9. xmppCnrSender.py log escape sequence injection
10. xmppCnrSender.py no authentication and clear-text communication
11. Incorrect HTTP requests cause out of range access in Zope
12. XSS on the web interface
13. Private SSH key
14. Backdoor APIs
15. Backdoor management access and RCE
16. Pre-auth RCE with chrooted access

“The attack surface is very large and many different stacks are being used it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.” reads the report published by the researchers.

Giving a close look at the above list we can notice the presence of “Hardcoded SSH server keys” for the main host that could be used by attackers to launch MiTM attacks.

“By default, the appliance uses hardcoded SSH server keys for the main host and for the chroot environments as shown below. This allows an attacker to MITM and decrypt the encrypted traffic.” reads the post published by the experts. “It should be noted the private keys are using wrong permissions and are world-readable (644).”

Experts also discovered the presence of backdoor accounts in MySQL.

“MySQL is pre-configured with several static accounts. It only listens to the loopback interface.”

Experts also reported the use of predefined passwords for admin accounts.

Another bug is related to the use of insecure management over the cloud.

“By default, myzxel.pyc used for communication to the ‘Cloud’ uses some hardcoded variables for communication over HTTPS,” said the experts. “The function get_account_info uses the account_id, the jwt_secret and the jwt_secret_id… The jwt_secret and jwt_secret_id are generated as unique key for each appliance.”

Technical details about the vulnerabilities are reported in the analysis published by the experts.

Vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 – last updated in November 2018.

One of the researchers, Kim, explained that he did not disclose the vulnerabilities to Zyxel because he suspects that the vendor has intentionally introduced the backdoors into its products.

Zyxel confirmed that is currently investigating the issues disclosed by the experts and pointed out that the CloudCNM SecuManager is a used by a very limited number of customers.

At the time of writing the vendor has yet to publish any advisory on the vulnerabilities reported by the experts.

In February, Zyxel addressed a critical remote code execution vulnerability, tracked as CVE-2020-9054, that impacts several network-attached storage (NAS) devices, the issue is being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

Share On