back to article Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now

Zyxel's network storage boxes, business VPN gateways, firewalls, and, er, security scanners can be remotely hijacked by any miscreant, due to a devastating security hole in the firmware. The devices' weblogin.cgi program fails to sanitize user input, allowing anyone who can reach one of these vulnerable machines, over the …

  1. Anonymous Coward
    Anonymous Coward

    Wow

    Just "wow".

    Enough said.

  2. Anonymous Coward
    Anonymous Coward

    Hasn't this been known for a long time, well their routers anyway, its how i extracted the root password on my isp locked down router to unlock the additional features.

  3. Tom Paine

    CPE

    I've only seen Zyxel gear issued to customers of small ISPs. If more than 1% get updated before hitting the WEEE skip I'll eat my hat

    1. big_D Silver badge

      Re: CPE

      The USGs are SME level unified security devices. As well as cheap modem/routers, Zyxel have a corporate arm that produces a lot of heavy duty networking appliances.

    2. steamnut

      Re: CPE

      And the Zyxel routers (free from Zen) are a real crock anyway. It took me just 1 hour to work out how poor it was and replaced it with a Netgear offering. Ok, even Netgear have their issues too but this was be best of two evils.

      1. Korev Silver badge

        Re: CPE

        I'm pretty sure Netgear had an almost identical issue a while back - it was so open you could even configure a workaround by going to a security researcher's website!

        1. Captain Scarlet
          FAIL

          Re: CPE

          Updates also got annoying when links in the interface broke and a new feature would kill the routers web servers if you went to a non existant web page.

  4. J. Cook Silver badge
    Trollface

    Not surprised at all...

    If you have a Zyxel device, bin it – especially if it's facing the internet.

    FTFY.

  5. W.S.Gosset Silver badge
    Facepalm

    "the patched firmware is delivered via unencryped FTP"

    That was, for me, the piece de resistance.

    They're consistent -- I'll give 'em that.

  6. Anonymous Coward
    Anonymous Coward

    Router with no external admin access

    Is this still an issue if all the external facing access is disabled?

    I assume you have to have a webpage that will respond to the scammer for them to be able to run a script.

    The parents have a home Zyxel router supplied by a small ISP. I had already disabled all external access to it, changed default IP Address and subnet, and changed the port no of the admin console.

    Can I assume that means it can only be attacked from inside the house? Or if he is unlucky enough to visit a dodgy website that spits out the commands?

    Or do I need to drive the 200miles up there to hit it with the large Hammer Of Disintegration™ to ensure security?

    1. thosrtanner

      Re: Router with no external admin access

      I think the article says 'if you visit a malicious page, it can take over your router'. so the hammer of disintegration is needed

      1. Anonymous Coward
        Anonymous Coward

        Re: Router with no external admin access

        I'm currently banking on The Parents visiting really boring websites for now. The standard ones like Butcher, Tesco, Amazon and the newspapers. They aren't the types to be nosing around on random websites that may have been hacked for Cross Site script to be in place.

        Hammer of Destruction will be polished for the next scheduled visit.

  7. EnviableOne Silver badge
    Coat

    "Advanced"

    if this is advanced security, what does mine count as?

  8. Claptrap314 Silver badge

    Anyone for a class action?

    Not validating has been a thing since before the internet. This is criminal stupidity.

  9. This post has been deleted by its author

  10. Martin N

    Already patched for older NSA devices by the open source community

    Users of older Zyxel "NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 models". The open source community have your back simply install the latest Tweaks package by Mijzelf and activate the patch. More info here https://zyxel.diskstation.eu/forum/viewtopic.php?f=2&t=156

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021