Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3

Author Topic: Zyxel Remote Code Execution Vulnerability, yet no new firmware released  (Read 4038 times)

meritez

  • Reg Member
  • ***
  • Posts: 735

https://www.zyxel.com/support/Zyxel-security-advisory-for-remote-code-execution-and-denial-of-service-vulnerabilities-of-CPE.shtml

Quote
Summary

Zyxel has released firmware updates for RCE and DoS vulnerabilities affecting some CPE models. Customers are advised to install the updates for optimal protection.


What is the vulnerability?

Remote code execution and denial-of-service vulnerabilities caused by the improper input sanitization of HTTP requests were identified in the zhttpd webserver on some Zyxel CPE.


What products are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below.

Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers, please contact your Zyxel representative for further details. For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.

Affected models   Patch available in
EMG3525-T50B   
EMEA – V5.50(ABPM.4)C0 in Dec 2020
AM – V5.50(ABSL.0)b8 in Jan 2021
EMG5523-T50B   
EMEA – V5.50(ABPM.4)C0 in Dec 2020
AM – V5.50(ABSL.0)b8 in Jan 2021
EMG5723-T50K   V5.50(ABOM.5)C0 in Dec 2020
EMG6726-B10A   V5.13 (ABNP.6).C0 in Feb 2021
EX3510-B0   V5.17(ABUP.3)C0 in Mar 2021
EX5510-B0   V5.15(ABQX.3)C0 in Jan 2021
VMG1312-T20B   V5.50(ABSB.3)C0 in Dec 2020
VMG3625-T50B   V5.50(ABPM.4)C0 in Dec 2020
VMG3925-B10B/B10C   V5.13(AAVF.16)C0 in Dec 2020
VMG3927-B50A_B60A   V5.15(ABMT.5)C0 in Dec 2020
VMG3927-B50B   V5.13(ABLY.6)C0 in Feb 2021
VMG3927-T50K   V5.50(ABOM.5)C0 in Dec 2020
VMG4005-B50B   V5.13(ABRL.5)C0 in Q3 2021
VMG4927-B50A   V5.13(ABLY.6)C0 in Feb 2021
VMG8623-T50B   V5.50(ABPM.4)C0 in Dec 2020
VMG8825-B50A_B60A   V5.15(ABMT.5)C0 in Dec 2020
VMG8825-Bx0B   V5.17(ABNY.5)C0 in Dec 2020
VMG8825-T50K   V5.50(ABOM.5)C0 in Dec 2020
VMG8924-B10D   V5.13(ABGQ.6)C0 in Dec 2020
XMG3927-B50A   V5.15(ABMT.5)C0 in Dec 2020
XMG8825-B50A   V5.15(ABMT.5)C0 in Dec 2020

Affected devices that I know people on Kitz use, VMG3925-B10B and VMG3925-B10C, and the XMG3927-B50A

But I can not find this firmware in the zyxel ftp:
ftp://ftp.zyxel.com/VMG3925-B10C/firmware/
ftp://ftp.zyxel.com/VMG3925-B10B/firmware/
ftp://ftp.zyxel.com/XMG3927-B50A/firmware/

Would anyone who owns affected devices be able to help me with this, as this seems a vulnerability that needs to be fixed.

I have emailed security@zyxel.com.tw requesting copies of firmware for both devices I own
Logged

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 8178

"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 :(
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A

meritez

  • Reg Member
  • ***
  • Posts: 735

https://www.cybersecurity-help.cz/vdb/SB2020121920

Quote
Q & A
Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 3576

"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 :(

Indeed, I fear you are correct. You missed a few critical words from the end of that quote...

Quote
as shown in the table below.

The devices listed are only those that are within their warranty and support period, and not necessarily all those affected.

For example the VMG8x24-B10A may also be affected, but it's well outside any support period.
Not good.

They clearly state the XMG3927-B50A will receive firmware version V5.15(ABMT.5)C0 in Dec 2020.
Currently V5.13 is on the ftp site.

They do state...

Quote
For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.

Meaning the firmware may need to be obtained from Zyxel support until they update the ftp directories.
They may also just be behind their targeted firmware fix dates.

It would not surprise me if Zyxel ask for the serial number of any device to confirm it is a retail model before providing any support, as they have done many times in the past.

made request for sourcecode, it's in a KCOM box  :lol:
model number XMG3927-B50A-GB01V1F

They may not give you any support as it's an ISP provided device unfortunately.
« Last Edit: March 09, 2021, 04:04:46 PM by j0hn »
Logged
Talktalk FTTP 550/75 - Speedtest - BQM

meritez

  • Reg Member
  • ***
  • Posts: 735

I see hwupgradeit have managed to get hold of the patched firmware for the VMG8825-B50B with a changelog: https://www.hwupgrade.it/forum/showthread.php?t=2858661
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2983
    • Thinkbroadband Quality Monitors

"we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue"

This suggests to me that other, older, devices are also affected but they aren't going to patch them, which isn't great really.
 :(

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

I have to admit I'm a little confused at them saying it can be compromised from the Internet though:
Quote
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests in zhttpd webserver. A remote attacker can send specially crafted HTTP request to the affected device and execute arbitrary code on the system.

Surely the web server is not accessible from the WAN side in the first place?

It certainly should mean its not an issue in bridge mode.

Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.
« Last Edit: March 09, 2021, 06:02:23 PM by Alex Atkin UK »
Logged
INTAKE (ECI) 2xHome Hub 5A (OpenWRT) on Zen & Plusnet, 1xHauwei H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: nanoHD (OpenWRT) + Honor Router 3
My Broadband History & Ping Quality Monitors

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 8178

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

...

I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2983
    • Thinkbroadband Quality Monitors

I agree to a point but one can't expect them to patch products forever. I think there should be an expectation for a reasonable period of time after they stop making something - perhaps five years?

Sounds fair.  I mean nobody expects to have to replace their router every couple of years.

The ECI modems from Openreach had just over 5 years from date of manufacture on their warranty.  I wonder if that included software or if that was longer?  There must still be some of these out there in use, we know people still use the Huawei.
« Last Edit: March 09, 2021, 09:12:49 PM by Alex Atkin UK »
Logged
INTAKE (ECI) 2xHome Hub 5A (OpenWRT) on Zen & Plusnet, 1xHauwei H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: nanoHD (OpenWRT) + Honor Router 3
My Broadband History & Ping Quality Monitors

Computerman142

  • Member
  • **
  • Posts: 24

Looks like there has been another security vulnerability found with the XMG3927-B50A https://www.zyxel.com/support/DNSpooq.shtml with a new firmware revision coming in June. No mention of the VMG89xx-Bxx or VMG39xxx-Bxx routers so look to be unaffected. Maybe they are going to delay putting the new versions of the firmware on the ftp site until then, or maybe they only update it every quarter not sure. My XMG3927-B50A is a retail version, well to my knowledge it is, I got it from Ballicom so should be. I will try emailing Zyxel support and see what they say or offer me a link to download the Dec 2020 firmware.

I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2983
    • Thinkbroadband Quality Monitors

I know my friend down the road still uses the ECI modem that he got in 2012, he isn't bothered about replacing it as it works.

Based on what the capacitors in mine looked like I'd be placing bets on it going bang the next time he power cycles it. ;)  But otherwise absolutely.
Logged
INTAKE (ECI) 2xHome Hub 5A (OpenWRT) on Zen & Plusnet, 1xHauwei H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: nanoHD (OpenWRT) + Honor Router 3
My Broadband History & Ping Quality Monitors

gt94sss2

  • Kitizen
  • ****
  • Posts: 1101
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #10 on: March 09, 2021, 09:29:44 PM »

I don't understand why companies are allowed to do this.

Surely a security vulnerability means the device was not fit for purpose when you bought it?
That should have zero bearing on if you are still within warranty or not when the problem is discovered.

I assume someone who has purchased a VMG8924 etc. directly could try taking to the Small Claims Court quoting the Consumer Rights Act 2015 - which can extend the warranty period to 6 years (depending on the product)
Logged

peteS

  • Member
  • **
  • Posts: 30
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #11 on: March 09, 2021, 11:09:10 PM »



It certainly should mean it's not an issue in bridge mode.

Obviously it CAN still be the compromised for the LAN side, but if you have malware on the LAN side you already are potentially in trouble.

Yep, given that this seems to be an http problem, Bridge mode seems fine - it's my Draytek behind the 8324 that's responding to any requests when bridging.  Given how old these are, I think there's a line when mainstream maintenance just isn't viable.  Bridge mode, up for a month at 80/20, no disconnects, £15 off ebay.  I think it's fit for its current purpose for me.  Now, if I'd bought something a year or so old, my attitude would likely be very different.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10068
  • Retd s/w dev; A&A; 3x7km lines; Firebrick; IPv6
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #12 on: March 10, 2021, 01:45:21 AM »

Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.
Logged

peteS

  • Member
  • **
  • Posts: 30
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #13 on: March 10, 2021, 12:33:01 PM »

Out of sheer paranoia, I erected a firewall rule around my modems. The modems are all in modem-only mode and are not on the main LAN so to talk to one you have to go through my firewall-router. This rule prevents any machines other than my own two iPads from accessing the modems. It works on source MAC addresses, a pain for maintenance.

Hmm - that does sound like paranoia - not that a bit of that hurts...  If you're running in bridge mode, there would have to be something incredibly wrong for traffic to route between the two bridges/interfaces I think.  I'm not saying that paranoia's a bad thing, but IMHO, if you're running bridge/modem, this one isn't anything to worry about that I can see.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10068
  • Retd s/w dev; A&A; 3x7km lines; Firebrick; IPv6
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #14 on: March 10, 2021, 01:47:08 PM »

Perhaps I misunderstood you, so apologies. It’s not about traffic getting routed like that, it’s about the remote possibility of a guest in my LAN getting access to the administrative interface on http port 80. This could otherwise happen because the router is explicitly programmed to route such admin traffic like that.
Logged
Pages: [1] 2 3
 

anything