Lucene search

[email protected]CVE-2019-12583

HistoryJun 27, 2019 - 2:15 p.m.

CVE-2019-12583

2019-06-2714:15:10

CWE-425

[email protected]

web.nvd.nist.gov

cve

2019

12583

missing access control

zyxel

uag

usg

zywall

remote attacker

guest accounts

network access

denial of service

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.1%

JSON

Missing Access Control in the “Free Time” component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

Affected configurations

NVD

Node

zyxeluag2100_firmwareRange≤4.18\(aaiz.1\)c0

AND

zyxeluag2100Match-

Node

zyxeluag4100_firmwareRange≤4.18\(aatd.1\)c0

AND

zyxeluag4100Match-

Node

zyxeluag5100_firmwareRange≤4.18\(aapn.1\)c0

AND

zyxeluag5100Match-

Node

zyxelusg110_firmwareRange≤4.33\(aaph.0\)c0

AND

zyxelusg110Match-

Node

zyxelusg210_firmwareRange≤4.33\(aapi.0\)c0

AND

zyxelusg210Match-

Node

zyxelusg310_firmwareRange≤4.33\(aapj.0\)c0

AND

zyxelusg310Match-

Node

zyxelusg1100_firmwareRange≤4.33\(aapk.0\)c0

AND

zyxelusg1100Match-

Node

zyxelusg1900_firmwareRange≤4.33\(aapl.0\)c0

AND

zyxelusg1900Match-

Node

zyxelusg2200-vpn_firmwareRange≤4.33\(abae.0\)c0

AND

zyxelusg2200-vpnMatch-

Node

zyxelzywall_vpn100_firmwareRange≤10.02\(abfv.0\)c0

AND

zyxelzywall_vpn100Match-

Node

zyxelzywall_vpn300_firmwareRange≤10.02\(abfc.0\)c0

AND

zyxelzywall_vpn300Match-

Node

zyxelzywall_110_firmwareRange≤4.33\(aaaa.0\)c0

AND

zyxelzywall_110Match-

Node

zyxelzywall_310_firmwareRange≤4.33\(aaab.0\)c0

AND

zyxelzywall_310Match-

Node

zyxelzywall_1100_firmwareRange≤4.33\(aaac.0\)c0

AND

zyxelzywall_1100Match-

CPENameOperatorVersion
zyxel:uag2100_firmwarezyxel uag2100 firmwarele4.18\(aaiz.1\)c0

CPE	Name	Operator	Version
zyxel:uag2100_firmware	zyxel uag2100 firmware	le	4.18\(aaiz.1\)c0

References

n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/

www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.1%

JSON

Related for CVE-2019-12583

prion1 nuclei1 cvelist1 nvd2 cve1