Zyxel Ncc

0 views
Skip to first unread message

Enrichetta

unread,
Aug 3, 2024, 5:34:25 PM8/3/24
to flavtherlaicon

The zyxel - while branded, appears to run standard zyxel firmware - the config doesn't contain anything related to IPTV, but it has an "IGMP Proxy enabled" setting. Is there a way to set up a similar setup on the PA-200?

Any pointers where I go from here? I'm running 6.0.2, and have played a bit with packet capture, so I can see "Membership Report group" and "Leave Group" messages coming from the Thomson, but can't see any other IGMP related traffic.

Enabling IGMP on eth1/4 (or rather - creating an interface group on the vrouter) does not appear to give me anything more either. If I add eth1/3 (internal/trust interface), I get some output from igmp statistics and memberships:

The Thomson IPTV PVR is a 192.168.1.61, and its membership changes whenever I change channels. (In the output above, it is listed twice - that is just because I changed channels rapidly, so I guess an older membership didn't time out yet).

However, I've tried doing the IGMP settings on eth1/4, eth1/3, a group with both 3 and 4, and two groups with 3 and 4 in each. I have no idea about the other multicast settings - Rendezvous Point, PIM etc - I haven't touched anything else.

IGMP proxy is done by a router. Traditionally firewalls are not routers in terms of full routing functionality. So unless the Palo can do IGMP proxy, I don't see how it can work. The Cisco ASA has the ability to act as IGMP proxy agent.

If that option is available on your CPE it will be on the TR-069 page. You have to login as supervisor to see that page. IIRC, the supervisor password is the admin password plus the last 5 of the mac (or is it the serial).

I did not have it inside the UI with my zyxel devices. Best option is to get in touch with zyxel, send them your config with the request to change to tr181.
They will also provide the supervisor password.

Based upon NVDs description of CVE-2023-27992 I figured the vulnerability was present in a web server, and based upon my own experience on integrated devices affected by command injections, I figured this would be a CGI webserver.

A few months later, shortly after IBM had released their blog, I was tasked with preparing a presentation to display my department to students from Blekinge Institute of Technology. I decided to perform a presentation where I went through how the Outpost24 Vulnerability Research department would go from a known CVE into a developed proof of concept scan/detection script, using my previous work on CVE-2023-27992. I needed to get some pretty pictures for the Zyxel device (CVE-2023-27992), so I opened my project files in Ghidra, as well as the unpacked firmware dumps. While already there, I decided to take a shorter detour and dig into what other modules were available in the firmware for the fun of it.

An attacker can also just unpack the makekey binary from e.g. firmware files downloaded from zyxel and invoke it on their machine. Qemu supplies an emulator so it can be run even on x86_64 devices despite the binary being some sort of ARM.

Putting a bit of thought into the NAS design, what is persistent on it? Obviously, any pictures and files stored in the NAS volumes, otherwise the device would be pointless, but what else? My idea is: the firmware and the configs.

Outpost24 provides cybersecurity products and security testing services to help you reduce your attack surface. With direct access to our security experts for remediation guidance and validation, you can unburden your security team and improve your cyber resilience.

Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.

Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern-day hacker.

I entered the computer security field due to hollywood movies (HACKERS) and youtube videos before proceeding to study for a master of science in engineering: computer security at Blekinge Institute of Technology in 2019 and as of May 8th 2024 I am currently finishing my thesis there.

Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC). Learn More

Zyxel Networks is a communications equipment company with over 100 million devices globally and serving 1 million customers according to their website. The recent discovered vulnerabilities has been seen exploited in the wild and reportedly exploited by Mirai based botnet variant to cause DDoS. As reported by FortiGuard Outbreak Alerts on December 2022, the Zyxel USG FLEX was previously targetted by the Zerobot malware due to its OS command injection vulnerability (CVE-2022-30525). According to a Shodan search there are 40,000+ Zyxel devices exposed to internet and the number of vulnerable devices could be much more as the default setting of some of the devices are not internet exposed.

June 5, 2023: Mirai based botnet remain active, lately affecting multiple IoT devices. Go to Addtional resources to review the Outbreaks and vulnerabilties related/affected by Mirai based Botnet.

June 5, 2023: FortiGuard added Threat Signal on Zyxel Multiple Firewall Vulnerabilities
-signal-report/5179/

FortiGuard Labs has released an IPS signature to detect any attack attempts to exploit CVE-2023-28771 and further investigating protections for CVE-2023-33009 and CVE-2023-33010. Antivirus signatures to detect and block known malware related to exploitation of vulnerable Zyxel devices.

It is strongly recommended to update ATP, USG Flex, VPN, and ZyWALL/USG firewalls to prevent exploitation of recent vulnerabilities as per vendor advisory to fully mitigate the risk and look for DoS "Denial of Service" like symptoms that could arise if compromised.
-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices


c80f0f1006
Reply all
Reply to author
Forward
0 new messages