Flaws Riddle Zyxel’s Network Management Software

zyxel zero day secumanager

Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software.

Security researchers are warning that networking hardware vendor Zyxel and its Cloud CNM SecuManager software is chock-full of unpatched vulnerabilities that kick open the doors for hackers to exploit. In all, researchers have identified 16 vulnerabilities, ranging from multiple backdoors and default credentials to insecure memory storage.

The Zyxel CNM SecuManager is a networking management software solution that provides an integrated console to monitor and manage enterprise security gateways, such as the company’s own ZyWALL USG and its VPN series products. When contacted by Threatpost, Zyxel would not say how many users of the product there are, only that the number was “limited.”

However, security researchers Pierre Kim and Alexandre Torres wrote in a report posted Monday that “the attack surface is very large and many different stacks are being used making it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.” The report outlined the more than a dozen flaws.

On Monday, Taiwan-based Zyxel declined to comment on the research, adding that it was unaware of the report. Because of the sensitive nature of the vulnerability claims, Threatpost declined at the time to publish the researchers’ findings.

On Wednesday, Nathan Yen, AVP of Zyxel Gateway SBU, reached out to Threatpost and said that the company was now aware of issues and was working to quickly to fix them. He did not specifically address any of the 16 vulnerability claims.

Researcher Kim told Threatpost he did not disclose the vulnerabilities to Zyxel because he believed that the vendor intentionally created backdoors into its product that would open Cloud CNM SecuManager software to remote access by Zyxel, post-customer installation.

“The only effective way when dealing with backdoors planted with the vendor is to publish zero-day vulnerabilities using full disclosure,” he said. “By going full disclosure, the vendor will be forced to remove the backdoors.”

Yen did not address those claims by the researchers.

Researchers said that flaws were reported on December 20, and on Monday they publicly disclosed the vulnerabilities online and via security mailing lists.

Researchers Outline Bugs

According to the report, the vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 – last updated in November 2018.

Topping the researchers’ list of security concerns is the use of hard-coded Secure Shell (SSH) server keys, used by network administrators for remote login and remote control of hardware assets.

“By default, the appliance uses hardcoded SSH server keys for the main host and for the chroot environments,” they wrote. A chroot is an operation to change a root directory for a running process and its dependent directories on Unix operating systems. “This allows an attacker to [man in the middle] MITM and decrypt the encrypted traffic,” they wrote.

Another vulnerability is tied to predefined passwords for admin accounts. “By default, we can extract the pre-defined admin and the pre-defined users from MySQL,” researchers wrote. MySQL is an open-source relational database management system. Researchers described the effort as “trivial,” making it easy to obtain the extraction of “previous admin/users.”

Also of concern to researchers is what they said was the Zyxel CNM SecuManager’s “insecure management over the cloud.”

“By default, myzxel.pyc used for communication to the ‘Cloud’ uses some hardcoded variables for communication over HTTPS,” they wrote. As they described, “The function get_account_info uses the account_id, the jwt_secret and the jwt_secret_id… The jwt_secret and jwt_secret_id are generated as unique key for each appliance.”

In this context, researchers said an attacker can extract account information using backdoors in the SecuManager’s APIs or by using the “anonymous access to the ZODB interface and decrypting the secret account_id value.”

A ZODB, or Zope Object Database, is an object-oriented database for transparently and persistently storing Python objects, according to a technical description.

“There are likely to be way more zero-day vulnerabilities in the appliance, but we decided not to dig more due to time constraints,” wrote Kim and Torres.

Zyxel Promises Fixes

“While we’re still investigating the listed issues, it’s important to note that the CloudCNM SecuManager is a network management tool customized for specific customer demands and is used by a very limited number of customers,” according to a written response from Yen to Threatpost.

Yen told Threatpost that the CloudCNM SecuManager was co-developed with a third-party vendor. “We’re working with them to solve the issues as our top priority. We’ll reach out to individual customers directly to roll out the solution,” he said.

None of the vulnerabilities Kim and Torres identified could be found on the company’s security advisory page at the time of this report.

Late last month, Zyxel patched a zero-day vulnerability tied to a critical flaw in many of its network attached storage (NAS) devices. The bug, tracked as CVE-2020-9054, allowed a remote, unauthenticated adversary to execute arbitrary code on a vulnerable device. Patches were made available for four out of 14 effected NAS devices. The other 10 NAS devices were no longer supported by Zyxel.

Vulnerabilities Summary

The researchers’ full list of Zyxel CNM SecuManager software vulnerabilities follows:

  1. Hardcoded SSH server keys
  2. Backdoors accounts in MySQL
  3. Hardcoded certificate and backdoor access in Ejabberd
  4. Open ZODB storage without authentication
  5. MyZyxel ‘Cloud’ Hardcoded Secret
  6. Hardcoded Secrets, APIs
  7. Predefined passwords for admin accounts
  8. Insecure management over the ‘Cloud’
  9. xmppCnrSender.py log escape sequence injection
  10. xmppCnrSender.py no authentication and clear-text communication
  11. Incorrect HTTP requests cause out of range access in Zope
  12. XSS on the web interface
  13. Private SSH key
  14. Backdoor APIs
  15. Backdoor management access and RCE
  16. Pre-auth RCE with chrooted access

“At this time, I would advise customers to avoid using this product,” Kim said. “I also have some questions about the ‘Cloud’ functionality provided by Zyxel and the fact that some encryption keys are hardcoded and HTTPS communication are not secure because of the lack of verification of certificates – this allows an attacker to intercept and modify the management traffic to and from the SecuManager product.”

Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles