Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: meritez on March 09, 2021, 01:37:40 PM
-
https://www.zyxel.com/support/Zyxel-security-advisory-for-remote-code-execution-and-denial-of-service-vulnerabilities-of-CPE.shtml
Summary
Zyxel has released firmware updates for RCE and DoS vulnerabilities affecting some CPE models. Customers are advised to install the updates for optimal protection.
What is the vulnerability?
Remote code execution and denial-of-service vulnerabilities caused by the improper input sanitization of HTTP requests were identified in the zhttpd webserver on some Zyxel CPE.
What products are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below.
Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers, please contact your Zyxel representative for further details. For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.
Affected models Patch available in
EMG3525-T50B
EMEA – V5.50(ABPM.4)C0 in Dec 2020
AM – V5.50(ABSL.0)b8 in Jan 2021
EMG5523-T50B
EMEA – V5.50(ABPM.4)C0 in Dec 2020
AM – V5.50(ABSL.0)b8 in Jan 2021
EMG5723-T50K V5.50(ABOM.5)C0 in Dec 2020
EMG6726-B10A V5.13 (ABNP.6).C0 in Feb 2021
EX3510-B0 V5.17(ABUP.3)C0 in Mar 2021
EX5510-B0 V5.15(ABQX.3)C0 in Jan 2021
VMG1312-T20B V5.50(ABSB.3)C0 in Dec 2020
VMG3625-T50B V5.50(ABPM.4)C0 in Dec 2020
VMG3925-B10B/B10C V5.13(AAVF.16)C0 in Dec 2020
VMG3927-B50A_B60A V5.15(ABMT.5)C0 in Dec 2020
VMG3927-B50B V5.13(ABLY.6)C0 in Feb 2021
VMG3927-T50K V5.50(ABOM.5)C0 in Dec 2020
VMG4005-B50B V5.13(ABRL.5)C0 in Q3 2021
VMG4927-B50A V5.13(ABLY.6)C0 in Feb 2021
VMG8623-T50B V5.50(ABPM.4)C0 in Dec 2020
VMG8825-B50A_B60A V5.15(ABMT.5)C0 in Dec 2020
VMG8825-Bx0B V5.17(ABNY.5)C0 in Dec 2020
VMG8825-T50K V5.50(ABOM.5)C0 in Dec 2020
VMG8924-B10D V5.13(ABGQ.6)C0 in Dec 2020
XMG3927-B50A V5.15(ABMT.5)C0 in Dec 2020
XMG8825-B50A V5.15(ABMT.5)C0 in Dec 2020
Affected devices that I know people on Kitz use, VMG3925-B10B and VMG3925-B10C, and the XMG3927-B50A
But I can not find this firmware in the zyxel ftp:
ftp://ftp.zyxel.com/VMG3925-B10C/firmware/
ftp://ftp.zyxel.com/VMG3925-B10B/firmware/
ftp://ftp.zyxel.com/XMG3927-B50A/firmware/
Would anyone who owns affected devices be able to help me with this, as this seems a vulnerability that needs to be fixed.
I have emailed security@zyxel.com.tw requesting copies of firmware for both devices I own
-
"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"
This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
:(
-
https://www.cybersecurity-help.cz/vdb/SB2020121920
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
-
"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"
This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
:(
Indeed, I fear you are correct. You missed a few critical words from the end of that quote...
as shown in the table below.
The devices listed are only those that are within their warranty and support period, and not necessarily all those affected.
For example the VMG8x24-B10A may also be affected, but it's well outside any support period.
Not good.
They clearly state the XMG3927-B50A will receive firmware version V5.15(ABMT.5)C0 in Dec 2020.
Currently V5.13 is on the ftp site.
They do state...
For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.
Meaning the firmware may need to be obtained from Zyxel support until they update the ftp directories.
They may also just be behind their targeted firmware fix dates.
It would not surprise me if Zyxel ask for the serial number of any device to confirm it is a retail model before providing any support, as they have done many times in the past.
made request for sourcecode, it's in a KCOM box :lol:
model number XMG3927-B50A-GB01V1F
They may not give you any support as it's an ISP provided device unfortunately.
-
I see hwupgradeit have managed to get hold of the patched firmware for the VMG8825-B50B with a changelog: https://www.hwupgrade.it/forum/showthread.php?t=2858661
-
"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"
This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
:(
I don't understand why companies are allowed to do this.
Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.
I have to admit I'm a little confused at them saying it can be compromised from the Internet though:
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests in zhttpd webserver. A remote attacker can send specially crafted HTTP request to the affected device and execute arbitrary code on the system.
Surely the web server is not accessible from the WAN side in the first place?
It certainly should mean its not an issue in bridge mode.
Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.
-
I don't understand why companies are allowed to do this.
Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.
...
I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?
-
I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?
Sounds fair. I mean nobody expects to have to replace their router every couple of years.
The ECI modems from Openreach had just over 5 years from date of manufacture on their warranty. I wonder if that included software or if that was longer? There must still be some of these out there in use, we know people still use the Huawei.
-
Looks like there has been another security vulnerability found with the XMG3927-B50A https://www.zyxel.com/support/DNSpooq.shtml with a new firmware revision coming in June. No mention of the VMG89xx-Bxx or VMG39xxx-Bxx routers so look to be unaffected. Maybe they are going to delay putting the new versions of the firmware on the ftp site until then, or maybe they only update it every quarter not sure. My XMG3927-B50A is a retail version, well to my knowledge it is, I got it from Ballicom so should be. I will try emailing Zyxel support and see what they say or offer me a link to download the Dec 2020 firmware.
I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.
-
I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.
Based on what the capacitors in mine looked like I'd be placing bets on it going bang the next time he power cycles it. ;) But otherwise absolutely.
-
I don't understand why companies are allowed to do this.
Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.
I assume someone who has purchased a VMG8924 etc. directly could try taking to the Small Claims Court quoting the Consumer Rights Act 2015 - which can extend the warranty period to 6 years (depending on the product)
-
It certainly should mean it's not an issue in bridge mode.
Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.
Yep, given that this seems to be an http problem, Bridge mode seems fine - it's my Draytek behind the 8324 that's responding to any requests when bridging. Given how old these are, I think there's a line when mainstream maintenance just isn't viable. Bridge mode, up for a month at 80/20, no disconnects, £15 off ebay. I think it's fit for its current purpose for me. Now, if I'd bought something a year or so old, my attitude would likely be very different.
-
Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.
-
Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.
Hmm - that does sound like paranoia - not that a bit of that hurts... If you're running in bridge mode, there would have to be something incredibly wrong for traffic to route between the two bridges/interfaces I think. I'm not saying that paranoia's a bad thing, but IMHO, if you're running bridge/modem, this one isn't anything to worry about that I can see.
-
Perhaps I misunderstood you, so apologies. It’s not about traffic getting routed like that, it’s about the remote possibility of a guest in my LAN getting access to the administrative interface on http port 80. This could otherwise happen because the router is explicitly programmed to route such admin traffic like that.
-
Would anyone be able to compare the differences in zhttpd in VMG1312-B10D AAXA8 and any of the VMG1312-B10A sources?
AAXA8 is where Zyxel introduced the new GUI 2.0 on the VMG1312-B10D
anyone purchased a Zyxel from A&A asked for the updated firmware?
-
I purchased a VMG 1312-B10A from A&A. I’m running our own Johnson’s custom firmware in it. We could perhaps fix the bug in the sources on github. (See also https://forum.kitz.co.uk/index.php/topic,21545.msg372637.html)
-
There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
-
There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
That's good to know but these models are clearly out of support now, having had no firmware updates for two years.
-
I’m glad I’m only using mine in modem-only (‘bridge’) mode.
-
I'm using the January 2021 firmware on my vmg8825, main difference in the changelog is the kernel is now 4.1 instead of 3.4.11
-
Zyxel are not offering kernel sources until June for these new firmwares?
Currently poking Zyxel for VMG3925-B10B/B10C V5.13(AAVF.16)C0 released in Dec 2020
edit:
Asked for AAVF16, got AAVF17 instead :-\
Firmware Version : V5.13(AAVF.17)C0
Bootbase Version : V1.63 | 07/22/2020 10:47:57
Vendor Name : Zyxel Communications Corp.
Product Model : VMG3925-B10C
-
Any update on this?
XMG3927-B50A
On the site they point to old fw, not June 21 :'(
-
Any update on this?
XMG3927-B50A
On the site they point to old fw, not June 21 :'(
if you buy direct from a zyxel reseller, you can get the up to date firmware, as re0 and adslmax have done.
-
if you buy direct from a zyxel reseller, you can get the up to date firmware, as re0 and adslmax have done.
I got it from the zyxel amazon store
Would I just email and ask?
-
I got it from the zyxel amazon store
Would I just email and ask?
If you email support@zyxel.com they should just give you the new firmware.
-
If you email support@zyxel.com they should just give you the new firmware.
Thank you meritez
-
New firmware for protection against FragAttacks is due in Q3 2021:
https://www.zyxel.com/support/FragAttacks_against_WiFi_products.shtml
-
Was any of the owners of the XMG3927-B50A retail version able to get the latest official firmware from Zyxel and willing to share it?
-
Was any of the owners of the XMG3927-B50A retail version able to get the latest official firmware from Zyxel and willing to share it?
@adslmax and @re0 have the latest version, not sure if @smallal does as well.
-
XMG3927: Last year they told me the fix would be out in Dec 2020, but it never happened.
I queried it again in early 2021 & was told it would be out in June 2021, still nothing!
Recently I was told it's not now arriving until Q3 2021.
I assume if there is a newer version out there it must be a BETA
UPDATE: ftp://ftp.zyxel.com/XMG3927-B50A/firmware/ now has v5.17 available
Note: Microsoft Edge doesn't support ftp sites so use IE11 or another browser to access