Please see Security Advisories for the week ending January 1, 2021
- Zyxel releases firmware update for hardcoded credential vulnerability
- Google Revealed Sickly Patched Windows Zero-Day Vulnerability
Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers are vulnerable due to a secret hardcoded administrative backdoor account used to update the devices firmware.
This vulnerability is due to a hardcoded credential for an admin-level account used to deliver automatic firmware updates.
If an attacker is able to successfully exploit this vulnerability it can allow them access to the vulnerable device(s) and pivot to internal networks for additional attacks.
Zyxel has releases new firmware ZLD V4.60 Patch 1 to remove the hardcoded credential. Zyxel strongly recommends updating to the newest firmware to protect against this vulnerability. Additional information can be found in the link below.
For a more detailed overview:
Google security analysts have found that the CVE-2020-17008 was improperly patched. This vulnerability is for Windows print spooler API. Windows 10, 8.1, Server 2012, Server 2016, and Server 2019 are affected.
The vulnerability lies in splwow64.exe. The attacker would need to log onto the system to abuse the vulnerability.
An attacker can manipulate the memory of splwow64.exe and gain elevated privileges.
Microsoft is planning on patching this issue in the January 2021 Patch Tuesday. Microsoft recommends patching this vulnerability as soon as possible after release.