This is the second installment of our Zyxel audit series, in which we tear apart one of their security appliances.
As described in our previous article, during a red teaming exercise conducted for one of our customers, we identified some Zyxel ZyWALL Unified Security Gateway (USG) appliances that were used as both firewalls and VPN concentrators in their branch offices.
Some of our targets were updated to the latest firmware release, which was not affected by any known vulnerabilities. However, since we had some spare budget and a large-enough time window for the engagement, we decided to buy a similar device on eBay and spend some time auditing it on our own, just as we used to do 15 years ago in similar scenarios. Sure enough, over a few weeks of audit we found many cute bugs, some of which were exploitable to achieve remote code execution and penetrate the target corporate network.