Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series

Project Description

An FTP-daemon with hardcoded credentials runs on multiple Zyxel WiFi access points from NWA, NAP and WAC series. These credentials can be used to log on to the APs FTP server and steal the configuration file that includes SSIDs and passwords. An attacker could move to protected networks via this way.


Vendor description

“Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world’s first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users.

We’re building the networks of tomorrow, helping unlock the world’s potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally.”

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml

 

Business recommendation

SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues.

 

Vulnerability overview/description

1) Hardcoded FTP Credentials

An FTP service runs on the Zyxel wireless access point that contains the configuration file for the WiFi network. This FTP server can be accessed with hardcoded credentials that are embedded in the firmware of the AP. When the WiFi network is bound to another VLAN, an attacker can cross the network by fetching the credentials from the FTP server.

The credentials were found by doing an automated scan with IoT Inspector.

Proof of concept

1) Hardcoded FTP Credentials

The username “devicehaecived” and the password “1234” can be used to access the FTP server of the AP on port 21.

The content of the FTP server looks like the following listing:

$ ls
cert  conf  debug  idp  packet_trace  script  tmp  wtp_image

The directory “conf” contains all configuration files which store the WiFi SSIDs and passphrases.

Vulnerable / tested versions:

The following versions have been manually tested and were automatically verified with IoT Inspector:

  • Zyxel NWA5121-NI 5.50 patch 0 and earlier
  • Zyxel NWA5121-N 5.50 patch 0 and earlier

The vendor provided the following list of affected devices:

  • Zyxel WAC6103D-I 5.50 patch 0 and earlier
  • Zyxel WAC6303D-S 5.50 patch 0 and earlier
  • Zyxel WAC6502D-E 5.50 patch 0 and earlier
  • Zyxel WAC6502D-S 5.50 patch 0 and earlier
  • Zyxel WAC6503D-S 5.50 patch 0 and earlier
  • Zyxel WAC6553D-E 5.50 patch 0 and earlier
  • Zyxel WAC6552D-S 5.50 patch 0 and earlier
  • Zyxel WAC5302D-S 5.50 patch 0 and earlier
  • Zyxel NWA5123-AC 5.50 patch 0 and earlier
  • Zyxel NWA5123-AC HD 5.50 patch 0 and earlier
  • Zyxel NWA5123-NI 5.50 patch 0 and earlier
  • Zyxel NWA5301-NJ 5.50 patch 0 and earlier
  • Zyxel NWA1302-AC 5.50 patch 0 and earlier
  • Zyxel NWA1123-ACv2 5.50 patch 0 and earlier
  • Zyxel NWA1123-AC HD 5.50 patch 0 and earlier
  • Zyxel NWA1123-AC PRO 5.50 patch 0 and earlier
  • Zyxel NAP102 5.50 patch 0 and earlier
  • Zyxel NAP203 5.50 patch 0 and earlier
  • Zyxel NAP303 5.50 patch 0 and earlier
  • Zyxel NAP353 5.50 patch 0 and earlier

Vendor contact timeline

2019-06-26Contacting vendor through security@zyxel.com.tw.
2019-06-27Vendor changed PGP key. Sent advisory with new key. Vendor confirmed receipt.
2019-07-03Asked for an update; Vendor told that they just finished their investigation.
2019-07-09Vendor provided a full list of devices that are prone to this vulnerability.
2019-07-23Asked for a timeline; Vendor asked to shift the release of the advisory to 2019-08-29 in order to provide fixes; Shifted advisory release to this date.
2019-08-26Asked for a status update; Vendor told that fixes are ready to be published at 2019-08-29.
2019-08-29Coordinated advisory release.

Solution

Install the newest firmware for your device from the vendor’s website to fix this issue:

https://www.zyxel.com/support/download_landing.shtml

Additionally, the vendor provides the following security notice: https://www.zyxel.com/support/hardcoded-FTP-credential-vulnerability-of-access-points.shtml

Workaround

Restrict network access to the web interface.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Thomas Weber / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleHardcoded FTP Credentials
  • ProductZyxel NWA/NAP/WAC wireless access point series
  • Vulnerable versionsee "Vulnerable / tested version"
  • Fixed versionsee "Solution"
  • CVE number-
  • Impactmedium
  • Homepagehttps://www.zyxel.com
  • Found2019-06-19
  • ByThomas Weber (Office Vienna) | IoT Inspector | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back