Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3

Author Topic: Zyxel Remote Code Execution Vulnerability, yet no new firmware released  (Read 7888 times)

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #15 on: March 10, 2021, 03:30:40 PM »

Would anyone be able to compare the differences in zhttpd in VMG1312-B10D AAXA8 and any of the VMG1312-B10A sources?
AAXA8 is where Zyxel introduced the new GUI 2.0 on the VMG1312-B10D

anyone purchased a Zyxel from A&A asked for the updated firmware?
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #16 on: March 10, 2021, 11:18:31 PM »

I purchased a VMG 1312-B10A from A&A. I’m running our own Johnson’s custom firmware in it. We could perhaps fix the bug in the sources on github. (See also https://forum.kitz.co.uk/index.php/topic,21545.msg372637.html)
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #17 on: March 13, 2021, 06:50:08 PM »

There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
Logged

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12514
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #18 on: March 14, 2021, 09:06:31 AM »

There's no need to assume that the older models are affected. The VMG8924-B10A and VMG1312-B10A contain a httpd binary that is significantly larger than the zhttpd binary found in a VMG1312-B10A firmware and I suspect that the different HTTP daemon programs are substantially different, not merely renamed files.
That's good to know but these models are clearly out of support now, having had no firmware updates for two years.
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #19 on: March 14, 2021, 11:45:08 AM »

I’m glad I’m only using mine in modem-only (‘bridge’) mode.
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #20 on: April 18, 2021, 02:43:58 PM »

I'm using the January 2021 firmware on my vmg8825, main difference in the changelog is the kernel is now 4.1 instead of 3.4.11
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623
Re: Zyxel Remote Code Execution Vulnerability, yet no new firmware released
« Reply #21 on: April 24, 2021, 09:42:02 PM »

Zyxel are not offering kernel sources until June for these new firmwares?

Currently poking Zyxel for VMG3925-B10B/B10C   V5.13(AAVF.16)C0 released in Dec 2020

edit:
Asked for AAVF16, got AAVF17 instead  :-\
Code: [Select]
Firmware Version        : V5.13(AAVF.17)C0
Bootbase Version        : V1.63 | 07/22/2020 10:47:57
Vendor Name             : Zyxel Communications Corp.
Product Model           : VMG3925-B10C
« Last Edit: April 26, 2021, 05:12:05 PM by meritez »
Logged

SE

  • Reg Member
  • ***
  • Posts: 133

Any update on this?
XMG3927-B50A

On the site they point to old fw, not June 21  :'(
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623

Any update on this?
XMG3927-B50A

On the site they point to old fw, not June 21  :'(

if you buy direct from a zyxel reseller, you can get the up to date firmware, as re0 and adslmax have done.
Logged

SE

  • Reg Member
  • ***
  • Posts: 133

if you buy direct from a zyxel reseller, you can get the up to date firmware, as re0 and adslmax have done.
I got it from the zyxel amazon store
Would I just email and ask?
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623

I got it from the zyxel amazon store
Would I just email and ask?

If you email support@zyxel.com they should just give you the new firmware.
Logged

SE

  • Reg Member
  • ***
  • Posts: 133

If you email support@zyxel.com they should just give you the new firmware.
Thank you meritez

Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623

New firmware for protection against FragAttacks is due in Q3 2021:
https://www.zyxel.com/support/FragAttacks_against_WiFi_products.shtml
Logged

hushcoden

  • Reg Member
  • ***
  • Posts: 429

Was any of the owners of the XMG3927-B50A retail version able to get the latest official firmware from Zyxel and willing to share it?
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623

Was any of the owners of the XMG3927-B50A retail version able to get the latest official firmware from Zyxel and willing to share it?

@adslmax and @re0 have the latest version, not sure if @smallal does as well.
Logged
Pages: 1 [2] 3