Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: Zyxel Remote Code Execution Vulnerability, yet no new firmware released  (Read 1746 times)

meritez

  • Reg Member
  • ***
  • Posts: 408
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #15 on: March 10, 2021, 03:30:40 PM »

Would anyone be able to compare the differences in zhttpd in VMG1312-B10D AAXA8 and any of the VMG1312-B10A sources?
AAXA8 is where Zyxel introduced the new GUI 2.0 on the VMG1312-B10D

anyone purchased a Zyxel from A&A asked for the updated firmware?
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9812
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #16 on: March 10, 2021, 11:18:31 PM »

I purchased a VMG 1312-B10A from A&A. Iím running our own Johnsonís custom firmware in it. We could perhaps fix the bug in the sources on github. (See also https://forum.kitz.co.uk/index.php/topic,21545.msg372637.html)
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2077
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #17 on: March 13, 2021, 06:50:08 PM »

There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
Logged

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 7207
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #18 on: March 14, 2021, 09:06:31 AM »

There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
That's good to know but these models are clearly out of support now, having had no firmware updates for two years.
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9812
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #19 on: March 14, 2021, 11:45:08 AM »

Iím glad Iím only using mine in modem-only (Ďbridgeí) mode.
Logged

meritez

  • Reg Member
  • ***
  • Posts: 408
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #20 on: April 18, 2021, 02:43:58 PM »

I'm using the January 2021 firmware on my vmg8825, main difference in the changelog is the kernel is now 4.1 instead of 3.4.11
Logged

meritez

  • Reg Member
  • ***
  • Posts: 408
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #21 on: April 24, 2021, 09:42:02 PM »

Zyxel are not offering kernel sources until June for these new firmwares?

Currently poking Zyxel for VMG3925-B10B/B10C   V5.13(AAVF.16)C0 released in Dec 2020

edit:
Asked for AAVF16, got AAVF17 instead  :-\
Code: [Select]
Firmware Version        : V5.13(AAVF.17)C0
Bootbase Version        : V1.63 | 07/22/2020 10:47:57
Vendor Name             : Zyxel Communications Corp.
Product Model           : VMG3925-B10C
« Last Edit: April 26, 2021, 05:12:05 PM by meritez »
Logged
Pages: 1 [2]
 

anything