Zyxel firewalls borked by buggy update, on-site access required for fix
(2025/01/27)
- Reference: 1737991812
- News link: https://www.theregister.co.uk/2025/01/27/zyxel_firewall_buggy_update/
- Source link:
Zyxel customers are dealing with a range of issues including reboot loops after an update on Friday went awry.
The Taiwanese vendor updated application signatures for some of its firewalls between Friday and Saturday but insists the issues are unrelated to security or specific vulnerabilities.
"We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," Zyxel's [1]advisory reads. "The system LED may also flash. Please note this is not related to a CVE or security issue.
[2]
"The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions."
[3]
[4]
In addition to boot loops, some users are experiencing glitches such as being unable to enter console commands, unusually high CPU usage, and various other error messages.
The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions – installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode.
[5]
Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.
[6]'Mirai-like' botnet observed attacking EOL Zyxel NAS devices
[7]Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes
[8]Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes
[9]Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now
It also says that currently, there is only one way to get around this, and it is "not ideal."
The "not ideal" part is that [10]sysadmins will need physical access to the firewall and a Console/RS232 cable to begin the recovery process.
Zyxel details each step in its advisory, but it involves creating a backup file before installing the new firmware.
There are no remote options available, the vendor said. It alluded to potentially available approaches that might work in "very rare" cases, but even then, they might lead to other issues such as losing config files, so they aren't recommended or even detailed.
[11]
Zyxel warned that those with systems running in Device-HA mode should contact Zyxel support directly for tailored assistance.
Support agents are available via phone and web chat for admins needing assistance to get their boxes back online. Zyxel also reopened its [12]Microsoft Teams channel today to address customer needs. ®
Get our [13]Tech Resources
[1] https://support.zyxel.eu/hc/en-us/articles/24159250192658-USG-FLEX-ATP-Series-Recovery-Steps-for-Application-Signature-Issue-on-January-24th-2025#h_01FY40AB87NBJ94AXVSWECEPGD
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas/
[7] https://www.theregister.com/2024/06/05/zyxel_emergency_patches_nas/
[8] https://www.theregister.com/2023/11/30/chrome_zeroday/
[9] https://www.theregister.com/2020/02/26/zyxel_security_hole/
[10] https://www.theregister.com/2023/06/28/the_death_of_the_sysadmin/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2024/08/21/microsoft_unifies_teams_apps/
[13] https://whitepapers.theregister.com/
The Taiwanese vendor updated application signatures for some of its firewalls between Friday and Saturday but insists the issues are unrelated to security or specific vulnerabilities.
"We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," Zyxel's [1]advisory reads. "The system LED may also flash. Please note this is not related to a CVE or security issue.
[2]
"The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions."
[3]
[4]
In addition to boot loops, some users are experiencing glitches such as being unable to enter console commands, unusually high CPU usage, and various other error messages.
The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions – installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode.
[5]
Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.
[6]'Mirai-like' botnet observed attacking EOL Zyxel NAS devices
[7]Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes
[8]Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes
[9]Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now
It also says that currently, there is only one way to get around this, and it is "not ideal."
The "not ideal" part is that [10]sysadmins will need physical access to the firewall and a Console/RS232 cable to begin the recovery process.
Zyxel details each step in its advisory, but it involves creating a backup file before installing the new firmware.
There are no remote options available, the vendor said. It alluded to potentially available approaches that might work in "very rare" cases, but even then, they might lead to other issues such as losing config files, so they aren't recommended or even detailed.
[11]
Zyxel warned that those with systems running in Device-HA mode should contact Zyxel support directly for tailored assistance.
Support agents are available via phone and web chat for admins needing assistance to get their boxes back online. Zyxel also reopened its [12]Microsoft Teams channel today to address customer needs. ®
Get our [13]Tech Resources
[1] https://support.zyxel.eu/hc/en-us/articles/24159250192658-USG-FLEX-ATP-Series-Recovery-Steps-for-Application-Signature-Issue-on-January-24th-2025#h_01FY40AB87NBJ94AXVSWECEPGD
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas/
[7] https://www.theregister.com/2024/06/05/zyxel_emergency_patches_nas/
[8] https://www.theregister.com/2023/11/30/chrome_zeroday/
[9] https://www.theregister.com/2020/02/26/zyxel_security_hole/
[10] https://www.theregister.com/2023/06/28/the_death_of_the_sysadmin/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5e7toV9VxBt4bCF0GpxXwAAAIE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2024/08/21/microsoft_unifies_teams_apps/
[13] https://whitepapers.theregister.com/
Is it just me?
Anonymous Coward
"To address this, we've disabled the application signature on our servers"
Either the application signing wasn't necessary, or Zyxel just opened a new attack route AND announced it?
"Those ....... without valid security licenses are not affected."
Not exactly an advert for having a valid security licence is it, lads?
Zyxel?
Anonymous Coward
No idea they were still around - haven't heard of them in >30 years (I believe the context at the time was @*#!* winmodems!)
Re: Zyxel?
Anonymous Coward
No, they made overheat/lockup-prone external modems, too.
Yet another reason not to enable automatic updates
> those without valid security licenses are not affected
Sounds like the usual Microsoft-style approach of "pay us, and we'll break your systems first!"
I wonder if their NAS boxes are also affected