> A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
Also translated as:
In the name of "improving security" we created a backdoor, which is known throughout the entire industry as "removing all security". We are very sorry we were caught so easily.
It does not take much to understand this was a terrible idea. Or that there are so many better ways to build and deploy automatic updates. You absolutely do not need to be able to control a machine remotely to deploy automatic updates. But counting the ways they went wrong building this update system makes it extremely hard to believe that was the intent.
> After a thorough investigation, we’ve identified the vulnerable products that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below.
That they went to the effort of identifying their minimal viable liability and all released patches for that, makes it even more disingenuous.
This is a company whose business is supposed to be about enhancing security. They should know better.
> You absolutely do not need to be able to control a machine remotely to deploy automatic updates.
Huh? How are you supposed to deploy the update then, or make it effective? I think the definition of "remotely control" differs somewhat from mine.
I could agree that you don't need to uniquely address a remote machine to deploy updates, but having control over the machine (if only for a moment) is the purpose of the update process.
"control remotely" as in "issue arbitrary commands" is absolutely _not_ required for an update mechanism.
The machine _itself_ can check for updates, and issue _only_ those commands that are _necessary_. You don't need complete control over a machine for an update mechanism.
But the entire update infrastructure has issues... Firmware binaries downloaded over unprotected basic FTP... No checksums... No authenticated signatures... And arbitrary commands issued at the root level.
If you deploy a firmware update it contains new instructions that can do anything. The problem is the hardcoded credentials that an other 3rd party could dump from a device and then could be used to attack other
devices. What they should have done if they wanted automatic updates was just have a public key on devices. They could then sign any updates with their private key.
Still with automatic updates you have to trust the vendor. However, with what they did updates/commands could be coming from anyone willing to dump device firmware.
> The machine _itself_ can check for updates, and issue _only_ those commands that are _necessary_.
The problem with this statement is that the machine doesn't know what sequence of actions is necessary to put the system into the "updated" state. If it knew, it wouldn't have to contact anything in order to update itself. It would already have known.
> If it knew, it wouldn't have to contact anything in order to update itself. It would already have known.
Eh? That's how most package managers work. They only issue a very small number of commands to put them into an "updated" state. They don't generally do arbitrary things.
For example, if we take a look into aptitude, the deb packages it eventually fetches after running various authentications, contains:
+ A directory listing. (Contents-<arch>.gz)
+ Paths and checksums. (Release)
+ Signing information.
It doesn't have an arbitrary listing of commands to put it into the "updated" set - that's already decided by the format. The machine _does_ know the sequence of actions that is necessary. You don't need some kind of Turing complete monstrosity that can do absolutely anything to update it.
In the case of a _firmware update_ that's even simpler! Most of the time you're either replacing a kernel, or flashing the firmware to a pre-decided memory address. Both of those actions are decided long before you even begin issuing updates.
Where in „client pulls a signed image with a secure and trusted process from the update server, flashes it, then swaps it with its previous image“ does the update server command any control over the client?
That depends on the contents of the supplied image. But I agree, it's more about the need for the ability to take over control rather than exercising the ability.
Machines can pull rather than manufacturers push, using cryptographic signatures to verify origin. At no point during, say, a Linux embedded device doing an "apt-get upgrade" in a cron job, is anyone remotely controlling the machine.
> It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.
It's a pity there are no long-term effects from the cases like those.
We've had a serious security vulnerability introduced in the firmware release, and there were no negative consequences for Zyxel at all, other than some bad press (and it's probably a fairly small amount of the bad press). What I would like to see is a post-mortem with mitigations -- how did this happen, and how will they prevent similar occurrences in the future. Instead, most likely nothing will happen. And I will not be surprised if the "firmware update account" will be back in the next release, probably still insecure, but hidden better so that random researchers won't stumble on it.
I wish there were some sort of liability for the manufacturers for the cases like those. For example, if a person runs a red light by accident and get caught, they get a fine and an insurance premium increase. We need something like this for IOT suppliers as well.
This is probably a fairly hot take but I believe that researchers shoudn't normanize providing this level of detail unless they have been explicitly hired to do so.
The industry is pretty messed up and it sometimes feels like researchers/pen testers/bug hunters are effectively subsidizing and protecting shitty security practises.
> The industry is pretty messed up and it sometimes feels like researchers/pen testers/bug hunters are effectively subsidizing and protecting shitty security practises.
In my opinion, this is a result of there being little/no consequences of being breached due to incompetence. Zyxel isn’t losing anything from this, and has no incentives to be better.
I worked with WiFi developement 15 years ago. For testing interoperability we used many vendor's access points. Zyxel was always on the lower end quality-wise. So this story does not surprise me, nothing seems to have changed. Or maybe there is a positive element of surprise; they accepted that that's not the way to do it and fixed it in only 2 weeks.
I have a Zyxel switch that I had to disconnect from my network because every once in awhile it would just go nuts - I'd get a crazy amount of traffic and upwards of 80% packet loss across my network. But just for a few minutes, then everything would go back to normal.
Took me a while to narrow it down to the switch, and I'm still not really sure what was happening, but it hasn't come up again since I disconnected it.
Most of the time such reviews are not practical; they cost too much money and don't deliver results. Such review industries are almost always all about the rubber stamp and don't end up employing competent reviewers.
See e.g. the Infineon ROCA flaw that FIPS certification didn't catch (even though that code reeked of them being too clever, and should've gone through proper cryptanalysis).
See: flaws in the FIPS YubiKey (specific to that version! The certification requirements introduced vulns!)
I've been doing something vaguely similar, largely out of laziness, for the past few years. My ISP's router (largely) retains its default settings, then my main router/firewall[1] sits behind that in a double-NAT configuration (treating the ISP router as being on the WAN side). Works well enough in practice - it's never caused me any issues in the ten or so years I've been doing it (port forwarding becomes a two-step process, but I _very_ rarely need to do that, so it's a non-issue for me).
[1] Typically pfSense, though it's just a generic Eero setup for now while I reconfigure some stuff33333333
Is "backdoor" the right term for this? I was under the impression that it implied intent. I.e., a "backdoor" is something added specifically to provide access through abnormal means, not just something that can be used to provide access.
This seems more like a mistake, particularly since they included the password in plaintext.
A secret way for the manufacturer to get into your device; the term "backdoor" is very appropriate I think. Most manufacturers would not go about it as clumsily as Xyxel, but it's the same thing.
But implicit in your statement that it's "a secret way for the manufacturer to get into your device" is the claim that Zyxel intended it as a bypass.
It seems like without intent, anything can be called a "backdoor". My browser receives automatic updates, and Mozilla could push an update that gives them remote access to my user account. But I don't think anyone would say Mozilla has "backdoored" Firefox.
Firstly, I think it's a lot to ask that we believe Zyxel put a backdoor in their products and then just forgot about it.
But even if we choose to believe that, it's not wrong to say that it was secret. "Secret" typically means "without the knowledge of others". If I forget the secret combination to my safe, it doesn't become "not a secret" because of that.
In your example, Mozilla has presumably made public that they are using remote updates. So it can hardly be described as secret.
I see your point. While this uses the normal authentication method (user, password), the undisclosed nature of the account makes it a backdoor practically.
You have some couple year old computer sitting around collecting dust? pfSense, OpnSense, VyOS, etc; there's Sophos XG home edition for personal use that I've had success with.
You want a ready-to-use hardware package? Maybe a UniFi Security Gateway, Netgate (pfSense) appliances fit in the price range.
Also translated as:
In the name of "improving security" we created a backdoor, which is known throughout the entire industry as "removing all security". We are very sorry we were caught so easily.
It does not take much to understand this was a terrible idea. Or that there are so many better ways to build and deploy automatic updates. You absolutely do not need to be able to control a machine remotely to deploy automatic updates. But counting the ways they went wrong building this update system makes it extremely hard to believe that was the intent.
> After a thorough investigation, we’ve identified the vulnerable products that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below.
That they went to the effort of identifying their minimal viable liability and all released patches for that, makes it even more disingenuous.
This is a company whose business is supposed to be about enhancing security. They should know better.