• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: ZyXEL Gateway Products Multiple Vulnerabilities

Severity: CRITICAL

Description:

ZyXEL gateway products are devices for home and small-office applications that provide gateway functionality and support various interfaces.

ZyXEL gateway products are prone to multiple vulnerabilities:

1. A privilege-escalation vulnerability occurs because the device's web interface fails to properly validate access to certain scripts. Specifically, by requesting certain URIs, an attacker with 'user' privileges can access scripts designed to be available only for administrators. The affected scripts fail to verify privileges and when accessed will allow a user to view and alter the device's administration settings. Please note that attackers could potentially use this issue to obtain the 'admin' password. The following scripts are vulnerable:

WAN.html
WLAN_General.html
WLAN.html
LAN_IP.html
NAT_General.html
Firewall_DefPolicy.html
CF_Keyword.html
StaticRoute.html
BW_Title.html
rpDyDNS.html
RemMagWWW.html
rpUPNP.html
rpSysAdmin.html
ViewLog.html
rpFWUpload.html
DiagGeneral.html

NOTE: model P-660HW-D1 running firmware 3.40(AGL.4) | 01/10/2007 is not affected by the above issue.

2. An unauthorized-access issue occurs because the device has SNMP read/write access enabled for 'public' by default. This allows users to access privileged information or make arbitrary configuration changes to the device without authorization. This could aid in further attacks.

3. An HTML-injection vulnerability occurs because the device fails to sufficiently sanitize user-supplied input before using it in dynamically generated contents. Specifically, an attacker can inject HTML or script code into certain web interface modules by modifying device settings through SNMP. The maximum length of the code injected with one parameter is 32 characters. The issue affects the 'system.sysName.0' parameter and the 'rpSysStatus.html' script. Attackers could exploit this issue to execute HTML or script code in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. Reportedly, other unspecified HTML-injection issues affect the interface.

NOTE: To exploit this issue, the attacker must be able to perform SNMP write operations.

4. A session-hijacking vulnerability occurs because the device tracks authentication states by users' IP addresses and fails to require authentication data for further client requests. Attackers can exploit this issue by accessing the device from a computer with the same IP (either legitimately or by spoofing the address) as a user who is authenticated with the device. This can allow attackers to gain unauthorized access to the device.

NOTE: If the a timeout period is enabled on the device, an attacker would have a limited window of opportunity to exploit the issue.

5. An information-disclosure vulnerability occurs because the device fails to sufficiently obfuscate password data contained in authentication requests. Attackers can exploit this issue to gain access to passwords and can also connect to the device by using captured authentication-request data verbatim.

6. A second information-disclosure vulnerability occurs because the device returns authentication data to the browser in plain text. Attackers can exploit this issue by sniffing data or by accessing browser cache data to obtain authentication credentials. The following scripts are affected by this issue; others may also be affected:

passWarning.html
rpSysAdmin.html
WAN.html
wzPPPOE.html
RemMagSNMP.html
rpDyDNS.html

Attackers can exploit these issues to gain elevated privileges, execute HTML or script code in the context of vulnerable sections of the web interface, and perform other attacks that may facilitate a complete compromise of the affected device.

Affected Products:

• ZyXEL Prestige 660H-61
• ZyXEL Prestige 660H-61 3.40(PE.9)
• ZyXEL Prestige 660H-D1 3.40(AGD.2)
• ZyXEL Prestige 660H-D3 3.40(AHZ.0)
• ZyXEL Prestige 660HW-D1 3.40(AGL.3)
• ZyXEL Prestige 660HW-D1 3.40(AGL.4)
• ZyXEL Prestige 660HW-T1 3.40(ACI.6)
• ZyXEL Prestige 660R-T1 v2 3.40(AGJ.3)
• ZyXEL Prestige 661HW-D1 3.40(AHQ.0)
• ZyXEL Prestige 661HW-D1 3.40(AHQ.3)
• ZyXEL Prestige 661HW-D1 3.40(ATM.0)
• ZyXEL Prestige 662HW-D1 3.40(AGZ.4)
• ZyXEL Prestige 662HW-D1 3.40(ATM.0)

References:

• ProCheckUp Ltd: ZyXEL Gateways Vulnerability Research
• ZyXEL: Vendor Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.