Backdoor account discovered in more than 100k Zyxel firewalls, VPN gateways

wallacoloo 5 years ago |

> Patches are currently available only for the ATP, USG, USG Flex, and VPN series. Patches for the NXC series are expected in April 2021, according to a Zyxel security advisory.

4 months to deliver a security patch of this significance? Would love to know what kind of situation leads to that kind of latency.

usrnm 5 years ago | |

They had to figure out what backdoor to replace it with

chrisbolt 5 years ago |

https://news.ycombinator.com/item?id=25539876

anakaine 5 years ago |

This and a little looking on Shodan makes for a scary tale of negligence at scale.

RhodesianHunter 5 years ago | |

You just described the entire industry

based2 5 years ago |

https://www.reddit.com/r/sysadmin/comments/kotu67/zyxel_back...

https://en.wikipedia.org/wiki/Zyxel

sloshnmosh 5 years ago |

This reminds me of the guy that discovered a backdoor in his router after he forgot the admin password over the Christmas holidays.

https://github.com/elvanderb/TCP-32764

There is helpful hints in that research that enabled me to view the firmware of my own router

cbozeman 5 years ago |

Its almost as if Chinese companies are either just arms of the state, or thoroughly infiltrated by state actors! I don't think US-based hardware manufacturers are really any better though.

To me this just illustrates the need for fully open-sourced hardware and software with domestic production facilities.

manuelabeledo 5 years ago | |

Zyxel is Taiwanese.

Also, this is more likely a case of incompetence, not maliciousness.

coolgod 5 years ago | | |

How do you know Taiwan doesn't have malicious state actors behind these backdoors? Is it because they aren't in a China ruled by the evil CCP?

cutemonster 5 years ago | | |

Or could it be an insider job?

Some execs or managers demanding a backdoor, then secretly privately selling the secret password to various nation states and private security companies (for personal profit)

coolgod 5 years ago | | |

This is a valid possibility, interesting to see such double standards applied to different tech companies based on the residence of their HQ.

manuelabeledo 5 years ago | | |

Why would they? Also, why expose it in such an obvious way?

Bancakes 5 years ago | | |

Incompetence is a form of malice in cases like this.

manuelabeledo 5 years ago | | |

I disagree.

Was the Solarwinds hack an act of malice, then?

vmception 5 years ago |

Its okay, they all had nothing to hide

tapper 5 years ago |

This is why I use OpenWrt in my network!