A researcher has discovered a backdoor credential hidden inside ZyXEL LTE indoor routers. The hard-coded backdoor credential tracked as CVE-2022-40602, allows remote access to any attacker.

The backdoor credential

A researcher (ReSolver) discovered the password hidden inside ZyXEL LTE3301-M209 firmware routers. The firmware of this device, which comprises three main sections  LZMA section, the root-fs, and the www content, has a file containing the credentials written on it.
  • The file, stored inside the www content section of the firmware section, contains the Zlib magic bytes.
  • These Zlib magic bytes can be read using the OpenSSL or zlib-flate utilities in Unix. Alternatively, on Windows OS, a user can convert the zlib file into a gzip file and then read it using 7zip.
  • When the researcher unpacked the file, it exposed the telnet login password. Further, there were WebUI credentials (WebUI/telnet credentials) that could allow the attacker to own the device.

A few days later, the same expert found a Telnet backdoor in D-Link DWR-921 as well. The company released a security bulletin, however, they refused to fix the bug as the product had reached End of Life (EOL).

Timeline of events

  • On September 12, the vulnerability was reported to ZyXEL. The firm asked for the details to replicate the vulnerability, which was provided by the researcher.
  • On September 14, ZyXEL verified the issues affecting the LTE3301-M209 model. ZyXEL was working on the issue to fix it. 
  • On October 19, the issue was tracked as CVE-2022-40602. 
  • On November 22, ZyXEL published a security bulletin, and a firmware fix was released. 
  • On December 24, the issue was made public.

Concluding notes

The users of vulnerable routers are suggested to apply the patch immediately. Moreover, the coordination between the researcher and the ZyXEL highlight the fact that clear communication and collaboration between the two complementary matters can significantly reduce the risks of exploitation of such bugs in the wild.
Cyware Publisher

Publisher

Cyware