-------------------------------------------------------------------------------------------------------------------
Zyxel assists you in protecting your Network and maintaining your Firewall!
Check out this article to read all TechTalk Insights:
[BEST PRACTICE] Firewall Maintenance, Config Protection, and CVE Attack Mitigation
-------------------------------------------------------------------------------------------------------------------
Common Issues with Upgrade and Recovery Steps
FAQ Section of most asked questions
Optimization of Firewall to protect the devices
We have been notified of several VPN connection-related issues and network interruptions reported to us currently. In response to this issue, we have expedited the development of an urgent hotfix firmware available since 5/23 and applicable to all models, which is intended to address and promptly rectify the situation. Since 5/24, Zyxel has released official patches for firewalls affected by multiple buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
Check out CVE on our Global Webpage
CVE-2023-33009
A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
CVE-2023-33010
In some firewall versions, a buffer overflow vulnerability in the ID processing function could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device.
Acknowledgment
Thanks to the following security consultancies:
- Lays and atdog from TRAPA Security, followed by
- STAR Labs SG
Need a complete package for all models?
Download here for all devices in one step! (3GB)
You also can use Cloud Firmware upgrade and install 5.36 Patch 2 or 4.73 Patch 2 instead of the hotfix version! How to upgrade USG devices via cloud-service
[Hotfix and Patch 2 are similar. If you are on one of them, you don´t need to upgrade on the official release. You can upgrade next firmware release 5.37, in July 2023 (Normal Release flow)
| Model | Firmware Hotfix |
| Legacy Devices (4.73 Patch 1 based+includes all latest Weekly fixes) 4.73 Patch 2 is similar and can also be used (Online Firmware Upgrade or MyZyxel.com Download) |
|
| USG40 | Download Hotfix |
| USG40W | Download Hotfix |
| USG60 | Download Hotfix |
| USG60W | Download Hotfix |
| USG110 | Download Hotfix |
| USG210 | Download Hotfix |
| USG310 | Download Hotfix |
| USG1100 | Download Hotfix |
| USG1900 | Download Hotfix |
| USG2200 | Download Hotfix |
| ZyWALL110 | Download Hotfix |
| ZyWALL310 | Download Hotfix |
| ZyWALL1100 | Download Hotfix |
|
On-Premise Devices (5.36 Patch 1 based+includes all latest Weekly fixes) 5.36 Patch 2 is similar and can also be used (Online Firmware Upgrade or MyZyxel.com Download) |
|
| USG FLEX 50 / USG20-VPN | Download Hotfix |
| USG FLEX 50W / USG20W-VPN | Download Hotfix |
| USG FLEX 100 | Download Hotfix |
| USG FLEX 100W | Download Hotfix |
| USG FLEX 200 | Download Hotfix |
| USG FLEX 500 | Download Hotfix |
| USG FLEX 700 | Download Hotfix |
| VPN50 | Download Hotfix |
| VPN100 | Download Hotfix |
| VPN300 | Download Hotfix |
| VPN1000 | Download Hotfix |
| ATP100 | Download Hotfix |
| ATP100W | Download Hotfix |
| ATP200 | Download Hotfix |
| ATP500 | Download Hotfix |
| ATP700 | Download Hotfix |
| ATP800 | Download Hotfix |
| EOL Legacy devices (3.30) are not affected | |
On-Going Issues and Resolve ways
Firmware 4.73 Patch 0 or higher and 5.32 Patch 0 or higher:
The device should be able to upgrade to 4.73 Patch 2 or 5.36 Patch 2 directly. No further action is needed. (On-Premise & Nebula Cloud)
!! Firmware 4.72 Patch 0 or previous and 5.32 Patch 0 or previous: (On-Premise) !!
[Long outdated firewalls are may unable to update to current protection]
Symptom:
The device uploads firmware but doesn´t trigger a reboot
The device is stuck on 100% screen in upload
The device can´t upgrade to 4.73 Patch 2 or 5.36 Patch 2 using Cloud or manual upload
1) Solution (On-Site):
1a) Backup startup-config.conf from RUNNING partition
Navigate to Maintenance -> File Manager -> Configuration File -> Configuration
Select the "startup-config.conf" and press "Download"
1b) Reboot to Standby Partition [CONFIG LOST]
Config will be may system-default.conf here or other older config files! WAN / Remote could be lost!
[This will allow Upgrades to the "PREVIOUS RUNNING" partition]
The firmware will be may Base (4.29) and Browser Issue, prefer use Chrome, try to skip Wizard and upload Patch 2 firmware manually
This will overwrite the config on Running, if you don´t have a backup, all Original config is removed
Stand-by partition configuration will now be loaded, and you might lose access to the firewall after the reboot. If you don't have the admin password, you need to RESET the firewall by holding the RESET button for 15 seconds and applying the backup configuration after the reset.
Wait for the firewall to boot up the stand-by partition
1c) Apply Configuration Backup on Running Partition
Login to your firewall again. You can use the cmd (ipconfig) on your PC or download the Advanced IP scanner to find your Firewall IP.
1d) Upgrade the Running partition (#2 below) to the Patch 2 firmware.
Or you can upgrade the stand-by partition (#1 below), and it will clone/copy the config file from the Running partition to the stand-by partition.
e) Upload the backup configuration to the upgraded partition
Now let the firewall reboot and upload the backup configuration that you downloaded in Step 1.
Then let it reboot and apply the configuration.
Now you can upgrade the stand-by partition to the latest as well to avoid future problems.
If you're having problems, modify the backup "startup-conf.conf" configuration file in Notepad (or Notepad++) by removing the firmware row
Before:
After:
Save the configuration file and upload it again.
2) Solution (Remote):
USG / USG FLEX / ATP / VPN - How to allow HTTPS Web GUI Access from WAN?
In case you can access the GUI, please send an HTTPS - Full Admin User to the Support Team, and we will assist you in upgrading the device to the latest firmware. We need HTTPS access on the port you open on SRC WAN IP: 93.159.250.200 / SSH is not needed. If you run into the issue of not accessing the GUI, try a reboot and block UDP500 WAN to ZyWALL "deny". We will assist with a firmware upgrade and recover your long-outdated device. Thanks. Please note Remote Tools like Teamviewer and Anydesk are not doable. We need to reboot the device. We can do it between 9 am - 5 pm; if that doesn´t work for you, proceed with On-Site Guide.
What else could block you from reaching your firewall?
You may be affected by previous CVE breaches that cause abnormal behavior on your device. So far good news is we are able to fix them all. But we need to identify which previous CVE your device is affected by.
Situation A - After reboot, you are unable to block "UDP500" as GUI is directly gone
In this case, you can try to get the device by a Teamviewer (LAN access) and make a Windows FTP connection (no FTP tool) to the LAN IP. Copy the "startup-config" from the "conf" folder to the "standby_conf" folder and "drag&drop" the Patch 2 firmware into the "firmware 1" folder. This will reboot the firewall and upgrade the system.
Situation B - After reboot, you can block UDP500 but can´t upgrade firmware
Please follow: This solution
Situation C - You can´t reach your device by "HTTPS" on your normal port
Have a check by remote LAN if your device is working "HTTP" based on Port 4337 as a backup.
If that´s the case, please follow the Situation A process.
Situation D - Device HA can´t upgrade firmware
For example, you get the error: "DHA2 detect passive fail"
In this case, you need re-deploy Device HA On-Site. There will be no remote recovery way.
FAQ Section
Which issues appear in my network or firewall if I am already affected?
- The GUI may not let you log in to Admin Interface (ZySH Daemon busy)
- VPN can have unstable scenarios (traffic passthrough or Tunnel often rebuild with less uptime)
- The device may reboot if the watchdog recovered the daemon to often
- Devices show high CPU usage (90% or higher)
- Very old firmware: HTTPS Port not working
- Very old firmware: The device can´t upgrade the firmware
Which firmware version do I need to be safe?
- Please install the latest firmware 5.36 Patch 2 or our hotfix in the table above
Do I need to install any update before 4.73 Patch 2 or 5.36 Patch 2, or can I upgrade directly?
It doesn´t matter which firmware version you have on your device, you can directly upgrade to our latest release, and you can ignore all path steps from earlier Release Notes documents!
What if I can´t log in to the device or only sometimes? [Protection steps to clock DDOS attack]
- You can try reboot the device first, then apply the firmware
- Remove temporary Port "IKE500" from WAN to ZyWALL group (Object > Address)
- Create a temporary firewall rule "WAN to ZyWALL" Service: IKE500 (UDP) > Block
In case you are on-site, you can also remove the WAN uplink for the time being and proceed with the upgrade locally. You can also try this remotely by getting assistance removing the WAN uplink on-site and performing an upgrade via Teamviewer, i.e., "Hotspot from Smartphone."
These steps should help stabilize the device and upgrade the firmware to a protected version.
My VPN is still unstable after I upgrade the device. What can I do?
It´s important to upgrade the Server and Client sites (for Site-to-Site VPN). Only if both sites are upgraded the protection will be successful.
Do I still need to upgrade to 5.36 Patch 2 or 4.73 Patch 2 if I apply the hotfix?
No, the version will be similar, so no further upgrade is needed.
Is my Nebula-managed device also affected?
Yes, updates for Nebula are available now, and the firewall can be updated through Nebula Control Center Nebula CC - Upgrading a Device Firmware [Firmware Management]
I want to install the firmware, but the progress stays on 100% after upload, or the device does not reboot. What can I do?
This can happen if you are on an older firmware version, for example, 5.30, and are affected by previously released fixes for other prevention. Please be in touch with Support to get further assistance.
I upgraded my devices, but I still don´t have VPN traffic or VPN not built up. What can I do?
Make sure you remove the rules "WAN to ZyWALL" to block UDP500 traffic.
Is there another way to upgrade Firmware if going not working?
You can try to upgrade Firmware through FTP. USG & Zywall - Firmware update per FTP
My traffic VPN isn´t not working. I have a connection to Switzerland or Swisscom ISP. What could it be?
Swisscom recently launched an upgrade for Swisscom Router blocking VPN traffic in the DMZ zone. Please be in touch with Swisscom Support to get it fixed. This is not a Zyxel issue. Also, a reboot of the Swisscom Router (2-3 times) could temporarily fix it.
Optimization of Firewall to protect the devices
We deliver many articles and security features on how you can always keep your device up2date and have optimal firewall protection.
[BEST PRACTICE] Firewall Maintenance, Config Protection, and CVE Attack Mitigation
If you have any future questions, just comment on this article, and we´ll be in touch with you shortly.
Or be in touch with the Support Team!
Comments
0 comments
Please sign in to leave a comment.