Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[meritez]

[tubaman]

"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 

[meritez]

https://www.cybersecurity-help.cz/vdb/SB2020121920

Q & A
Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

[j0hn]

"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 

Indeed, I fear you are correct. You missed a few critical words from the end of that quote...

as shown in the table below.

The devices listed are only those that are within their warranty and support period, and not necessarily all those affected.

For example the VMG8x24-B10A may also be affected, but it's well outside any support period.
Not good.

They clearly state the XMG3927-B50A will receive firmware version V5.15(ABMT.5)C0 in Dec 2020.
Currently V5.13 is on the ftp site.

They do state...

For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.

Meaning the firmware may need to be obtained from Zyxel support until they update the ftp directories.
They may also just be behind their targeted firmware fix dates.

It would not surprise me if Zyxel ask for the serial number of any device to confirm it is a retail model before providing any support, as they have done many times in the past.

made request for sourcecode, it's in a KCOM box 
model number XMG3927-B50A-GB01V1F

They may not give you any support as it's an ISP provided device unfortunately.

[meritez]

I see hwupgradeit have managed to get hold of the patched firmware for the VMG8825-B50B with a changelog: https://www.hwupgrade.it/forum/showthread.php?t=2858661

[Alex Atkin UK]

"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

I have to admit I'm a little confused at them saying it can be compromised from the Internet though:

The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests in zhttpd webserver. A remote attacker can send specially crafted HTTP request to the affected device and execute arbitrary code on the system.

Surely the web server is not accessible from the WAN side in the first place?

It certainly should mean its not an issue in bridge mode.

Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.

[tubaman]

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

...

I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?

[Alex Atkin UK]

I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?

Sounds fair.  I mean nobody expects to have to replace their router every couple of years.

The ECI modems from Openreach had just over 5 years from date of manufacture on their warranty.  I wonder if that included software or if that was longer?  There must still be some of these out there in use, we know people still use the Huawei.

[Computerman142]

Looks like there has been another security vulnerability found with the XMG3927-B50A https://www.zyxel.com/support/DNSpooq.shtml with a new firmware revision coming in June. No mention of the VMG89xx-Bxx or VMG39xxx-Bxx routers so look to be unaffected. Maybe they are going to delay putting the new versions of the firmware on the ftp site until then, or maybe they only update it every quarter not sure. My XMG3927-B50A is a retail version, well to my knowledge it is, I got it from Ballicom so should be. I will try emailing Zyxel support and see what they say or offer me a link to download the Dec 2020 firmware.

I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.

[Alex Atkin UK]

I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.

Based on what the capacitors in mine looked like I'd be placing bets on it going bang the next time he power cycles it.   But otherwise absolutely.

[gt94sss2]

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

I assume someone who has purchased a VMG8924 etc. directly could try taking to the Small Claims Court quoting the Consumer Rights Act 2015 - which can extend the warranty period to 6 years (depending on the product)

[peteS]

[Weaver]

Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.

[peteS]

Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.

Hmm - that does sound like paranoia - not that a bit of that hurts...  If you're running in bridge mode, there would have to be something incredibly wrong for traffic to route between the two bridges/interfaces I think.  I'm not saying that paranoia's a bad thing, but IMHO, if you're running bridge/modem, this one isn't anything to worry about that I can see.

[Weaver]