Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Vendor Issues Fix) Re: Some ZyXEL Prestige Routers Allow Remote Telnet and FTP Access to the Device in the Default Configuration
|
|
SecurityTracker Alert ID: 1002196 |
|
SecurityTracker URL: http://securitytracker.com/id/1002196
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 14 2001
|
Impact:
Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): ZyXEL Prestige 642R and 642R-I, V2.50(AJ.4), V2.50(AL.1), V2.50(AL.2)b2
|
Description:
A configuration vulnerability was reported in some ZyXEL Prestige routers that allows remote users to access the router's Telnet and FTP services in the default configuration.
In the default configuration, the P642R and P642R-I ADSL routers have the administrative Telnet and FTP services exposed on the WAN (Internet) side. In addition, a common default password is used. It is reported that a significant proportion of users do not change the default password. This allows a remote user to access the device and make modifications to the device's configuration and firmware.
Since the release of firmware version AJ.3, WAN side filters for Telnet and FTP are apparently intended to be in place in the default configuration. However, that is not the case.
It is reported that the ZyXEL Prestige 642M is not vulnerable.
The P642R and 642R-I models when used in "bridge mode" with PPPoE are reported to be not vulnerable.
|
Impact:
A remote user can gain administrative access to the router when in the default configuration. Administrative access allows the user to make configuration changes and upload new firmware.
|
Solution:
The vendor has issued a fix. See the Source Message for information on the new firmware releases.
|
Vendor URL: www.zyxel.com/ (Links to External Site)
|
Cause:
Configuration error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 14 Aug 2001 18:45:32 +0200
Subject: Fwd: ZyXEL Prestige 642 Router Administration Interface Vulnerability
|
It seems that some ZyXEL regional offices have reacted and
reworked the configuration of all P642R firmware releases. Their
fixed firmware is available at ftp://ftp.europe.zyxel.com/ .
Unfortunately, there seems to be a bit of a release managment
problem within ZyXEL; the fixed firmware is some releases older
than the latest firmware available from the Swiss ZyXEL
distributor, Studerus AG, at http://www.zyxel.ch/ .
This also confirms that the firmware that was fixed after Sean
Boran reported this issue to ZyXEL Switzerland in June/July was
only available within Switzerland, and not elsewhere.
Here's the details:
ftp.europe.zyxel.com www.zyxel.ch
R-11 v2.50(AJ.2)r2 09/01/2000 v2.50(AJ.4)C0 07/03/2001
RI-13 v2.50(AL.0)r2 08/08/2000 v2.50(AL.2)b2 05/22/2001
R-61 v2.50(AN.1)r2 02/02/2001 -
The dates are the release dates of the -firmware- as stated in the
release notes, not the last change of the default config rom.
The following is forwarded with the express permission of
Manfred Recla at ZyXEL Austria <mr@zyxel.at>
Cheers,
Dan
BTW: I keep a list of relevant URL's on this issue up to date at
http://www.roe.ch/bugtraq/3161/
[this is a forwarded message]
From: ZyXEL.AT, Manfred Recla <mr@zyxel.at>
To: daniel@roe.ch <daniel@roe.ch>
Date: Tuesday, August 14, 2001, 3:10:55 PM
Subject: Fw: ZyXEL Prestige 642 Router Administration Interface Vulnerability
--- begin of original message ---
----- Original Message -----
From: "ZyXEL.AT, Manfred Recla" <mr@zyxel.at>
To: "Jimmy Jensen" <jj@zyxel.dk>; <fchang@zyxel.com.tw>
Cc: <chfan@zyxel.com.tw>; <mtseng@zyxel.com.tw>; "ZASTECH" <zastech@zyxel.dk>; "FAE @ ZyXEL Europe" <fae@europe.zyxel.com>
Sent: Tuesday, August 14, 2001 3:10 PM
Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability
ooops,
I found one minor bug in my filter "plug-in" settings in menu 11.5,
if the device filter set #4 (PPPoE) is set, then no normal PPPoA
traffic can work. So I removed that #4 from menu 11.5 now again
and uploaded for all three models P641R11, P642R13 and P642R61
the revision "r2" to our FTP server.
best regards,
Manfred Recla (ZyXEL Austria - Technical Support)
**********************************************************
ZyXEL Communications Services GmbH.
Thaliastrasse 125a/2/2/4
A-1160 Vienna, AUSTRIA
Tel: +43-1-4948677-0, Fax: +43-1-4948678
Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif
eMail: support@zyxel.at
**********************************************************
----- Original Message -----
From: "ZyXEL.AT, Manfred Recla" <mr@zyxel.at>
To: "Jimmy Jensen" <jj@zyxel.dk>; <fchang@zyxel.com.tw>
Cc: <chfan@zyxel.com.tw>; <mtseng@zyxel.com.tw>; "ZASTECH" <zastech@zyxel.dk>; "FAE @ ZyXEL Europe" <fae@europe.zyxel.com>
Sent: Tuesday, August 14, 2001 2:15 PM
Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability
Dear all,
I reworked the default config files for the routers and uploaded
the files to our FTP server now.
P642R-11 ..... v2.50(AJ.2)r1
P642R-13 ..... v2.50(AL.0)r1
P642R-61 ..... v2.50(AN.1)r1
the added extension "r1" means "revision 1" (or also "recla 1").
I modified and added the filters in menu 21 and inserted them to 3.1
and 11.5 and I slightly modified the autoexec.net as described below.
In menu 21 I defined following filter sets:
-------------------------------------------
#1) NetBIOS_LAN
#2) NetBIOS_WAN
#3) TEL_FTP_WEB_WAN
#4) PPPoE
#5) SNMP_WAN
In menu 3.1) "General Ethernet Setup"
--------------------------------------
Input Filter Sets:
protocol filters= 2
device filters=
Output Filter Sets:
protocol filters=
device filters=
In menu 11.5) "Remote Node Filter"
------------------------------------
Input Filter Sets:
protocol filters= 5, 3
device filters= 4
Output Filter Sets:
protocol filters= 1
device filters=
sys edit autoexec.net
---------------------
sys errctl 0
sys trcl level 5
sys trcl type 1180
sys trcp cr 64 96
sys trcl sw off <<<- modified from "on" to "off"
sys trcp sw off <<<- modified from "on" to "off"
ip tcp mss 512
ip tcp limit 2
ip tcp irtt 65000
ip tcp window 2
ip tcp ceiling 6000
ip rip activate
ip rip merge on
ip icmp discovery enif0 off
sys wd sw off <<--- added this line
ppp ipcp compress off <<--- added this line
EOF
best regards,
Manfred Recla (ZyXEL Austria - Technical Support)
**********************************************************
ZyXEL Communications Services GmbH.
Thaliastrasse 125a/2/2/4
A-1160 Vienna, AUSTRIA
Tel: +43-1-4948677-0, Fax: +43-1-4948678
Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif
eMail: support@zyxel.at
**********************************************************
----- Original Message -----
From: "Jimmy Jensen" <jj@zyxel.dk>
To: <fchang@zyxel.com.tw>
Cc: <chfan@zyxel.com.tw>; <mtseng@zyxel.com.tw>; <mr@zyxel.at>; "ZASTECH" <zastech@zyxel.dk>
Sent: Monday, August 13, 2001 5:20 PM
Subject: ZyXEL Prestige 642 Router Administration Interface Vulnerability
FYI,
The following is taken from http://www.securityfocus.com
It describes a vulnerability because of missing filters in P642R.
I checked the new beta and saw that now these filters are applied by
default. Good!
But what about the many customers who already bought P642R ?
(See the PASSWORDS section) of the report.
ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password
[ my original BugTraq posting here... ]
--
Daniel Roethlisberger <daniel@roe.ch>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
With kind regards - Med venlig hilsen
Jimmy Jensen - ZyXEL Communication A/S
Columbusvej 5, DK - 2860 Søborg
Phone (+45) 39550700 - Fax (+45) 39550707
Support Phone (+45) 39550785
Did you check http://www.zyxel.dk today?
--- end of original message ---
--
Daniel Roethlisberger <daniel@roe.ch>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
|
|
Go to the Top of This SecurityTracker Archive Page
|
