GOT PATCHES? — Researchers tell owners to assume compromise of unpatched Zyxel firewalls Poor patching hygiene is fueling a flurry of “downstream attacks” on other targets.
Dan Goodin – May 31, 2023 10:33 pm UTC EnlargeGetty Images reader comments 24 with
Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10.
At this stage if you have a vulnerable device exposed, assume compromise, officials from Shadowserver, an organization that monitors Internet threats in real time, warned four days ago. The officials said the exploits are coming from a botnet thats similar to Mirai, which harnesses the collective bandwidth of thousands of compromised Internet devices to knock sites offline with distributed denial-of-service attacks.
According to data from Shadowserver collected over the past 10 days, 25 of the top 62 Internet-connected devices waging downstream attacksmeaning attempting to hack other Internet-connected deviceswere made by Zyxel as measured by IP addresses. A 9.8-severity vulnerability in default configurations
The software bug used to compromise the Zyxel devices is tracked as CVE-2023-28771, an unauthenticated command injection vulnerability with a severity rate of 9.8. The flaw, which Zyxel patched on April 25, can be exploited to execute malicious code with a specially crafted IKEv2 packet to UDP port 500 on the device.
The critical vulnerability exists in default configurations of the manufacturers firewall and VPN devices. They include Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. Advertisement Affected series Affected version Patch availability ATP ZLD V4.60 to V5.35 ZLD V5.36 USG FLEX ZLD V4.60 to V5.35 ZLD V5.36 VPN ZLD V4.60 to V5.35 ZLD V5.36 ZyWALL/USG ZLD V4.60 to V4.73 ZLD V4.73 Patch 1
On Wednesday, the Cybersecurity and Infrastructure Security Agency placed CVE-2023-28771 on its list of known exploited vulnerabilities. The agency has given federal agencies until June 21 to fix any vulnerable devices in their networks.
Security researcher Kevin Beaumont has also been warning of widespread exploitation of the vulnerability since last week.
This #Zyxel vuln is being mass exploited now by Mirai botnet, he wrote on Mastodon. A fuck ton of SMB VPN boxes are owned.
Measurements from the Shodan search engine show almost 43,000 instances of Zyxel devices exposed to the Internet.
This number only includes devices that expose their web interfaces on the WAN, which is not a default setting, Rapid7 said, using the abbreviation for wide area network, the part of a companys network that can be accessed over the Internet. Since the vulnerability is in the VPN service, which is enabled by default on the WAN, we expect the actual number of exposed and vulnerable devices to be much higher.
A VPNshort for virtual private networkdoesn’t need to be configured on a device for it to be vulnerable, Rapid7 said. Zyxel devices have long been a favorite for hacking because they reside at the edge of a network, where defenses are typically lower. Once infected, attackers use the devices as a launch pad for compromising other devices on the Internet or as a toe-hold that can be used to spread to other parts of the network they belong to.
While most of the focus is on CVE-2023-28771, Rapid7 warned of two other vulnerabilitiesCVE-2023-33009 and CVE-2023-33010 that Zyxel patched last week. Both vulnerabilities also carry a 9.8 severity rating.
With infections from CVE-2023-28771 still occurring five weeks after Zyxel fixed it, its clear many device owners arent installing security updates in a timely manner. If the poor patching hygiene carries over to the more recently fixed vulnerabilities, there likely will be more Zyxel compromises occurring soon. reader comments 24 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars