Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: meritez on March 09, 2021, 01:37:40 PM

Title: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on March 09, 2021, 01:37:40 PM
https://www.zyxel.com/support/Zyxel-security-advisory-for-remote-code-execution-and-denial-of-service-vulnerabilities-of-CPE.shtml

Quote
Summary

Zyxel has released firmware updates for RCE and DoS vulnerabilities affecting some CPE models. Customers are advised to install the updates for optimal protection.


What is the vulnerability?

Remote code execution and denial-of-service vulnerabilities caused by the improper input sanitization of HTTP requests were identified in the zhttpd webserver on some Zyxel CPE.


What products are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below.

Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers, please contact your Zyxel representative for further details. For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.

Affected models   Patch available in
EMG3525-T50B   
EMEA – V5.50(ABPM.4)C0 in Dec 2020
AM – V5.50(ABSL.0)b8 in Jan 2021
EMG5523-T50B   
EMEA – V5.50(ABPM.4)C0 in Dec 2020
AM – V5.50(ABSL.0)b8 in Jan 2021
EMG5723-T50K   V5.50(ABOM.5)C0 in Dec 2020
EMG6726-B10A   V5.13 (ABNP.6).C0 in Feb 2021
EX3510-B0   V5.17(ABUP.3)C0 in Mar 2021
EX5510-B0   V5.15(ABQX.3)C0 in Jan 2021
VMG1312-T20B   V5.50(ABSB.3)C0 in Dec 2020
VMG3625-T50B   V5.50(ABPM.4)C0 in Dec 2020
VMG3925-B10B/B10C   V5.13(AAVF.16)C0 in Dec 2020
VMG3927-B50A_B60A   V5.15(ABMT.5)C0 in Dec 2020
VMG3927-B50B   V5.13(ABLY.6)C0 in Feb 2021
VMG3927-T50K   V5.50(ABOM.5)C0 in Dec 2020
VMG4005-B50B   V5.13(ABRL.5)C0 in Q3 2021
VMG4927-B50A   V5.13(ABLY.6)C0 in Feb 2021
VMG8623-T50B   V5.50(ABPM.4)C0 in Dec 2020
VMG8825-B50A_B60A   V5.15(ABMT.5)C0 in Dec 2020
VMG8825-Bx0B   V5.17(ABNY.5)C0 in Dec 2020
VMG8825-T50K   V5.50(ABOM.5)C0 in Dec 2020
VMG8924-B10D   V5.13(ABGQ.6)C0 in Dec 2020
XMG3927-B50A   V5.15(ABMT.5)C0 in Dec 2020
XMG8825-B50A   V5.15(ABMT.5)C0 in Dec 2020

Affected devices that I know people on Kitz use, VMG3925-B10B and VMG3925-B10C, and the XMG3927-B50A

But I can not find this firmware in the zyxel ftp:
ftp://ftp.zyxel.com/VMG3925-B10C/firmware/
ftp://ftp.zyxel.com/VMG3925-B10B/firmware/
ftp://ftp.zyxel.com/XMG3927-B50A/firmware/

Would anyone who owns affected devices be able to help me with this, as this seems a vulnerability that needs to be fixed.

I have emailed security@zyxel.com.tw requesting copies of firmware for both devices I own
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: tubaman on March 09, 2021, 03:16:56 PM
"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 :(
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on March 09, 2021, 03:40:21 PM
https://www.cybersecurity-help.cz/vdb/SB2020121920

Quote
Q & A
Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: j0hn on March 09, 2021, 03:57:16 PM
"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 :(

Indeed, I fear you are correct. You missed a few critical words from the end of that quote...

Quote
as shown in the table below.

The devices listed are only those that are within their warranty and support period, and not necessarily all those affected.

For example the VMG8x24-B10A may also be affected, but it's well outside any support period.
Not good.

They clearly state the XMG3927-B50A will receive firmware version V5.15(ABMT.5)C0 in Dec 2020.
Currently V5.13 is on the ftp site.

They do state...

Quote
For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.

Meaning the firmware may need to be obtained from Zyxel support until they update the ftp directories.
They may also just be behind their targeted firmware fix dates.

It would not surprise me if Zyxel ask for the serial number of any device to confirm it is a retail model before providing any support, as they have done many times in the past.

made request for sourcecode, it's in a KCOM box  :lol:
model number XMG3927-B50A-GB01V1F

They may not give you any support as it's an ISP provided device unfortunately.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on March 09, 2021, 04:32:53 PM
I see hwupgradeit have managed to get hold of the patched firmware for the VMG8825-B50B with a changelog: https://www.hwupgrade.it/forum/showthread.php?t=2858661
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Alex Atkin UK on March 09, 2021, 05:56:55 PM
"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 :(

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

I have to admit I'm a little confused at them saying it can be compromised from the Internet though:
Quote
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests in zhttpd webserver. A remote attacker can send specially crafted HTTP request to the affected device and execute arbitrary code on the system.

Surely the web server is not accessible from the WAN side in the first place?

It certainly should mean its not an issue in bridge mode.

Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: tubaman on March 09, 2021, 06:14:56 PM
I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

...

I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Alex Atkin UK on March 09, 2021, 07:31:23 PM
I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?

Sounds fair.  I mean nobody expects to have to replace their router every couple of years.

The ECI modems from Openreach had just over 5 years from date of manufacture on their warranty.  I wonder if that included software or if that was longer?  There must still be some of these out there in use, we know people still use the Huawei.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Computerman142 on March 09, 2021, 07:59:53 PM
Looks like there has been another security vulnerability found with the XMG3927-B50A https://www.zyxel.com/support/DNSpooq.shtml with a new firmware revision coming in June. No mention of the VMG89xx-Bxx or VMG39xxx-Bxx routers so look to be unaffected. Maybe they are going to delay putting the new versions of the firmware on the ftp site until then, or maybe they only update it every quarter not sure. My XMG3927-B50A is a retail version, well to my knowledge it is, I got it from Ballicom so should be. I will try emailing Zyxel support and see what they say or offer me a link to download the Dec 2020 firmware.

I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Alex Atkin UK on March 09, 2021, 09:12:36 PM
I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.

Based on what the capacitors in mine looked like I'd be placing bets on it going bang the next time he power cycles it. ;)  But otherwise absolutely.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: gt94sss2 on March 09, 2021, 09:29:44 PM
I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

I assume someone who has purchased a VMG8924 etc. directly could try taking to the Small Claims Court quoting the Consumer Rights Act 2015 - which can extend the warranty period to 6 years (depending on the product)
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: peteS on March 09, 2021, 11:09:10 PM


It certainly should mean it's not an issue in bridge mode.

Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.

Yep, given that this seems to be an http problem, Bridge mode seems fine - it's my Draytek behind the 8324 that's responding to any requests when bridging.  Given how old these are, I think there's a line when mainstream maintenance just isn't viable.  Bridge mode, up for a month at 80/20, no disconnects, £15 off ebay.  I think it's fit for its current purpose for me.  Now, if I'd bought something a year or so old, my attitude would likely be very different.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Weaver on March 10, 2021, 01:45:21 AM
Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: peteS on March 10, 2021, 12:33:01 PM
Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.

Hmm - that does sound like paranoia - not that a bit of that hurts...  If you're running in bridge mode, there would have to be something incredibly wrong for traffic to route between the two bridges/interfaces I think.  I'm not saying that paranoia's a bad thing, but IMHO, if you're running bridge/modem, this one isn't anything to worry about that I can see.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Weaver on March 10, 2021, 01:47:08 PM
Perhaps I misunderstood you, so apologies. It’s not about traffic getting routed like that, it’s about the remote possibility of a guest in my LAN getting access to the administrative interface on http port 80. This could otherwise happen because the router is explicitly programmed to route such admin traffic like that.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on March 10, 2021, 03:30:40 PM
Would anyone be able to compare the differences in zhttpd in VMG1312-B10D AAXA8 and any of the VMG1312-B10A sources?
AAXA8 is where Zyxel introduced the new GUI 2.0 on the VMG1312-B10D

anyone purchased a Zyxel from A&A asked for the updated firmware?
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Weaver on March 10, 2021, 11:18:31 PM
I purchased a VMG 1312-B10A from A&A. I’m running our own Johnson’s custom firmware in it. We could perhaps fix the bug in the sources on github. (See also https://forum.kitz.co.uk/index.php/topic,21545.msg372637.html)
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: ejs on March 13, 2021, 06:50:08 PM
There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: tubaman on March 14, 2021, 09:06:31 AM
There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
That's good to know but these models are clearly out of support now, having had no firmware updates for two years.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: Weaver on March 14, 2021, 11:45:08 AM
I’m glad I’m only using mine in modem-only (‘bridge’) mode.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on April 18, 2021, 02:43:58 PM
I'm using the January 2021 firmware on my vmg8825, main difference in the changelog is the kernel is now 4.1 instead of 3.4.11
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on April 24, 2021, 09:42:02 PM
Zyxel are not offering kernel sources until June for these new firmwares?

Currently poking Zyxel for VMG3925-B10B/B10C   V5.13(AAVF.16)C0 released in Dec 2020

edit:
Asked for AAVF16, got AAVF17 instead  :-\
Code: [Select]
Firmware Version        : V5.13(AAVF.17)C0
Bootbase Version        : V1.63 | 07/22/2020 10:47:57
Vendor Name             : Zyxel Communications Corp.
Product Model           : VMG3925-B10C
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: SE on June 14, 2021, 08:31:55 AM
Any update on this?
XMG3927-B50A

On the site they point to old fw, not June 21  :'(
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on June 14, 2021, 08:48:12 AM
Any update on this?
XMG3927-B50A

On the site they point to old fw, not June 21  :'(

if you buy direct from a zyxel reseller, you can get the up to date firmware, as re0 and adslmax have done.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: SE on June 14, 2021, 09:21:04 AM
if you buy direct from a zyxel reseller, you can get the up to date firmware, as re0 and adslmax have done.
I got it from the zyxel amazon store
Would I just email and ask?
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on June 14, 2021, 10:06:56 AM
I got it from the zyxel amazon store
Would I just email and ask?

If you email support@zyxel.com they should just give you the new firmware.
Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: SE on June 14, 2021, 10:35:49 AM
If you email support@zyxel.com they should just give you the new firmware.
Thank you meritez

Title: Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
Post by: meritez on June 14, 2021, 10:40:40 AM
New firmware for protection against FragAttacks is due in Q3 2021:
https://www.zyxel.com/support/FragAttacks_against_WiFi_products.shtml