Mazuva mashoma apfuuraKuonekwa kwekushushikana kwakaburitswa kuchengeteka kwakakomba mumoto, chaiyo yakavanzika network masuo uye vanodzora poindi nzvimbo vanogadzirwa neZyxel Communications Corp.
Inotsanangurwa kuti mwedzi wapfuura, kuchengetedzwa kwevaongorori kubva dhijitari yekuchengetedza cyber Kudzora Kwemaziso kwakanyora nyaya yacho uye ivo vanotaura kuti kusagadzikana kunokanganisa zvinodarika zviuru zana zvemidziyo inogadzirwa nekambani.
Kunetseka zvinoreva kuti michina ine yakaoma-kodhi yekutonga-chikamu kumashure iyo inogona kupa vanorwisa midzi kupinda kune zvishandiso zvine SSH kana yewebhu admin pani.
Zvichipa zita rekushandisa rakanyorwa uye password, vabiridzi vanogona kuwana netiweki vachishandisa zvishandiso zveZyxel.
"Mumwe munhu anogona, semuenzaniso, kushandura maratidziro emoto kuti abvumire kana kuvharira imwe traffic," anodaro muongorori weIye Control Niels Teusink. "Vanogona zvakare kukanganisa traffic kana kugadzira maVPN account kuti uwane mukana kune network kuseri kwechigadzirwa."
Iko kunetseka kuri mu ari akateedzana zvishandiso ATP, USG, USG Flex, VPN uye NXC kubva kuZyxel.
Kunyangwe isiri zita remumba, Zyxel ikambani yeTaiwan-based inogadzira zvishandiso zvemambure zvinoshandiswa zvakanyanya nemabhizimusi madiki nepakati.
Muchokwadi, iyo kambani ine zvinoshamisa zvinoshamisa runyorwa rwezvinhu zvitsva yechanza chanza, pakati pezvimwe zvakaitwa.
Zvisinei, ino haisi nguva yekutanga kukuvadzwa kuwanikwa pane zvishandiso zveZyxel. Chidzidzo chakaitwa neFraunhofer Institute for Communication muna Chikunguru chakatumidza zita rekuti Zyxel pamwe neAsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co Ltd. .
Sekureva kwevamiriri vekambani Zyxel, yekunze kwekunze kwanga kusiri kwekukonzeresa kwekuita kwakaipa kubva kune vechitatu-bato vanopikisa, semuenzanisoro raive basa renguva dzose raishandiswa kurodha pasi zviripo firmware kuburikidza neFTP.
Izvo zvinofanirwa kucherechedzwa kuti iyo yakatsanangurwa password haina kunyorwa uye Yeziso Kudzora chengetedzo vaongorori vakazviona nekuongorora zvidimbu zvemavara zvakawanikwa mumufananidzo we firmware.
Muchidimbu chemushandisi, iro password rakachengetwa sehash uye iyo yakawedzera account yakasarudzika kubva kune yemushandisi runyorwa, asi rimwe remafaira anoburitswa raive nepassword mumavara akajeka Zyxel akaudzwa nezvedambudziko kupera kwaNovember uye akarigadzirisa.
Zyxel's ATP (Yepamberi Yekutyisidzira Dziviriro), USG (Yakabatana Security Gateway), USG FLEX uye VPN firewalls, pamwe neNXC2500 neNXC5500 vanodzora poindi vanodzora vanokanganiswa.
Zyxel yataura nezvekusagadzikana, zvakatumidzwa zita kuti CVE-2020-29583, mune zano uye yakaburitsa chigamba kugadzirisa dambudziko. Muchiziviso, kambani yakacherekedza kuti yakavharidzirwa mushandisi account "zyfwp" yakagadzirirwa kuburitsa otomatiki firmware inogadziridza kuwana mapoinzi akabatana kuburikidza neFTP.
Dambudziko mumoto wemoto rakagadziriswa mune ye firmware yekuvandudza V4.60 Patch1 (Zvinonzi password yekumusoro yakaonekwa chete mu firmware V4.60 Patch0, uye zvekare firmware vhezheni hazvibatwe nedambudziko, asi kune zvimwe zvinokuvadzwa mune yekare firmware kuburikidza nemidziyo inogona kurwiswa).
Munzvimbo dzinotakurirwa vanhu, Iyo yekugadzirisa ichave inosanganisirwa muV6.10 Patch1 gadziriso yakarongerwa muna Kubvumbi 2021. Vese vashandisi vezvinetso zvemidziyo vanorayirwa kuti vagadzirise firmware nekukasira kana kusvika padhuze netiweki padanho remoto.
Dambudziko rinowedzeredzwa nenyaya yekuti sevhisi yeVPN uye webhu yekugadzirisa manejimendi nekumisikidza inobvuma kubatana pane imwechete network port 443, ndosaka vashandisi vazhinji vakasiya 443 yakavhurika zvikumbiro zvekunze uye nekudaro kuwedzera kune yekupedzisira VPN, ivo vakasiya uye kugona kupinda muwebhu webhu.
Zvinoenderana nekufungidzira kwekutanga, zvinopfuura zviuru zana zvemidziyo zvine yakatarwa backdoor anowanikwa pane network kuti ubatanidze kuburikidza netiweki chiteshi 443.
Vashandisi vezvinhu zvakakanganiswa zveZyxel vanokurudzirwa kuisa zvakakodzera firmware zvidzoreredzo zvakakwana.
mabviro: https://www.eyecontrol.nl