Vulnerabilities in Zyxel's ZyWall products
The web-based user interface of the ZyWall range of products
contains vulnerabilities that allow unauthorised attackers to obtain data and reconfigure devices. The ZyXEL USG 20, 20W, 50, 100, 200, 300, 1000, 1050 and 2000 appliances are affected.
According to RedTeam Pentesting, attackers can modify a JavaScript variable stored on the client side in a browser to bypass the authentication mechanism and download the configuration file, as well as the password hashes stored in it. However, there appears to be an even simpler way: the file can reportedly be downloaded without any authentication by entering the full URL in a browser.
Attackers can then crack the passwords, or upload a modified configuration file. RedTeam says that this is also possible without authentication using a trick: for instance, an attacker could insert a password hash and then use this password to log in later as an admin. All that's required for an attack to be successful is that the web interface is accessible; curl, wget or a browser are the only tools needed.
RedTeam also managed to decrypt the encrypted firmware using a known-plaintext attack. Zyxel released new firmware to fix the problems on 25 April.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
