Zyxel security advisory for hardcoded credential vulnerability CVE-2020-29583

CVE: CVE-2020-29583

Updated: 1/7 - 3pm CET

Summary

Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from Eye Control Netherlands. Users are advised to install the applicable firmware updates (4.60 Patch 1) for optimal protection.

What is the vulnerability?

A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.

What versions are vulnerable—and what should you do?

After a through investigation, we’ve identified the vulnerable products that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates.

Note that the ATP, USG, ZyWALL, USG FLEX and VPN firewalls running earlier firmware versions than 4.60 Patch 0 or 4.60 Patch 1 and the VPN series running the SD-OS are NOT affected. 

Check out our FAQ section for the most questions for this security advisory:

FAQ: Enhanced Information for CVE-2020-29583 - Zyxel security advisory for hardcoded credential vulnerability

The following links can help you to upgrade your firmware version:

How to upgrade Firmware on your device?

How to upgrade Firmware, if I use Support Code Version or get ITS Error?

How to upgrade Firmware in Device HA Mode?

How to upgrade Firmware, if my Firmware version is very old?

If you recently got a bugfix from Zyxel Support you can also use our latest Weekly version (WK48 or WK50), which is secure for this vulnerability:

Weekly Firmware / Support Version / Lab Version

Release Notes for Weekly Support Version

Changes in 4.60 Patch 1 compare to 4.60 Patch 0:

1. [ENHANCEMENT] Enhanced HA Pro reliability.
2. [BUG FIX][CVE-2020-29583]
a. Vulnerability fix for undocumented user account.
3. [BUG FIX] eITS#201000455
a. Fixed Port Zone Assignment issue.
4. [BUG FIX] eITS#201100284, 201100639, 201100647
a. Fixed GUI show up issue when editing interfaces.
5. [BUG FIX] eITS#201100338
a. Mouseover popup information adjustment.
6. [BUG FIX] eITS#201100416, 201100564
a. Stability improvement.
7. [BUG FIX] eITS#201100511, 201100661, 201100730, 201101210, 201101248
a. Fixed the issue that DNS packets cannot passthrough VPN tunnel.

Download Full Release Notes Document of 4.60 Patch 1 include Patch 0 Release Notes

*USG20/W-VPN is also affected, even this device did not have AP controller feature. The issue affect every 4.60 Patch 0 version.

If you have more questions or encounter any issue during firmware upgrade, feel free to contact our support team: How to contact Support Team?