CVE: CVE-2020-29583
Updated: 1/7 - 3pm CET
Summary
Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from Eye Control Netherlands. Users are advised to install the applicable firmware updates (4.60 Patch 1) for optimal protection.
What is the vulnerability?
A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
What versions are vulnerable—and what should you do?
After a through investigation, we’ve identified the vulnerable products that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates.
Note that the ATP, USG, ZyWALL, USG FLEX and VPN firewalls running earlier firmware versions than 4.60 Patch 0 or 4.60 Patch 1 and the VPN series running the SD-OS are NOT affected.
Check out our FAQ section for the most questions for this security advisory:
FAQ: Enhanced Information for CVE-2020-29583 - Zyxel security advisory for hardcoded credential vulnerability
The following links can help you to upgrade your firmware version:
How to upgrade Firmware on your device?
How to upgrade Firmware, if I use Support Code Version or get ITS Error?
How to upgrade Firmware in Device HA Mode?
How to upgrade Firmware, if my Firmware version is very old?
If you recently got a bugfix from Zyxel Support you can also use our latest Weekly version (WK48 or WK50), which is secure for this vulnerability:
Weekly Firmware / Support Version / Lab Version
Release Notes for Weekly Support Version
Changes in 4.60 Patch 1 compare to 4.60 Patch 0:
1. [ENHANCEMENT] Enhanced HA Pro reliability.
2. [BUG FIX][CVE-2020-29583]
a. Vulnerability fix for undocumented user account.
3. [BUG FIX] eITS#201000455
a. Fixed Port Zone Assignment issue.
4. [BUG FIX] eITS#201100284, 201100639, 201100647
a. Fixed GUI show up issue when editing interfaces.
5. [BUG FIX] eITS#201100338
a. Mouseover popup information adjustment.
6. [BUG FIX] eITS#201100416, 201100564
a. Stability improvement.
7. [BUG FIX] eITS#201100511, 201100661, 201100730, 201101210, 201101248
a. Fixed the issue that DNS packets cannot passthrough VPN tunnel.
Download Full Release Notes Document of 4.60 Patch 1 include Patch 0 Release Notes
Product | Affected | Patch Download |
ATP100 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ATP100W | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ATP200 |
Yes, 4.60 Patch 0 |
Download 4.60 Patch 1 |
ATP500 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ATP700 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ATP800 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG Flex 100 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG Flex 100W | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG Flex 200 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG Flex 500 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG Flex 700 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG20-VPN* | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG20W-VPN* | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG40 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG40W | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG60 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG60W | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG110 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG210 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG310 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG1100 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG1900 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
USG2200/VPN | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
VPN50 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
VPN100 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
VPN300 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
VPN1000 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ZyWALL110 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ZyWALL310 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
ZyWALL1100 | Yes, 4.60 Patch 0 | Download 4.60 Patch 1 |
NXC2500 | Yes, 6.10 Patch 0 | Download 6.10 Patch 1 |
NXC5500 | Yes, 6.10 Patch 0 | |
UAG2100 | Not affected | / |
UAG4100 | Not affected | / |
UAG5100 | Not affected | / |
NWA3160N | Not affected | / |
*USG20/W-VPN is also affected, even this device did not have AP controller feature. The issue affect every 4.60 Patch 0 version.
If you have more questions or encounter any issue during firmware upgrade, feel free to contact our support team: How to contact Support Team?
Comments
0 comments
Please sign in to leave a comment.