Reflected Cross-Site Scripting in Zyxel ZyWALL

Project Description

Multiple Zyxel ZyWALL products with firmware 4.30 are affected by a reflected cross-site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and session cookies can be stolen.


Vendor description

Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world’s first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service providers, businesses and home users.

We’re building the networks of tomorrow, helping unlock the world’s potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally.”

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml

Business recommendation

SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues.

1. Reflected Cross-Site Scripting (XSS)

A reflected cross-site scripting vulnerability was identified in ‘free_time_failed.cgi’ in the admin interface. The parameter ‘err_msg’ is returned without any sanitization of the input. An attacker, for example, can exploit this vulnerability to steal cookies from the attacked user in order to hijack a session and gain access to the device.

Proof of concept

1. Reflected Cross-Site Scripting (XSS)

By opening to the following link, contents of the ‘arip’ and ‘zy_pc_browser’ cookies will be displayed.

http://<IP-Address>/free_time_failed.cgi?err_msg=<script>alert(document.cookie);</script>
https://<IP-Address>/free_time_failed.cgi?err_msg=<script>alert(document.cookie);</script>

 

Vulnerable / tested versions

The following versions are affected:

  • Zyxel ZyWall USG 110               ZLD 4.30 and earlier
  • Zyxel ZyWall USG 210               ZLD 4.30 and earlier
  • Zyxel ZyWall USG 310               ZLD 4.30 and earlier
  • Zyxel ZyWall USG 1100             ZLD 4.30 and earlier
  • Zyxel ZyWall USG 1900             ZLD 4.30 and earlier
  • Zyxel ZyWall USG 2200-VPN   ZLD 4.30 and earlier

Vendor contact timeline

2018-02-07: Contacting vendor through security@zyxel.com.tw
2018-02-08: Vendor responded with contact information and a PGP key. Sent the encrypted advisory to the contact.
2018-02-09: Contact confirmed that the advisory was received.
2018-02-16: Contact confirmed the vulnerability and stated that the ZyWALL series is vulnerable to the reported vulnerability. The contact also stated that the vulnerability will be fixed until the end of March. Requested more information regarding version numbers and other affected devices.
2018-02-23 Contact confirmed that the devices are vulnerable in firmware version 4.30 and before.
2018-03-21: Contact informed us that the new firmware version will be ZLD 4.31 and that it will be released on 2018-04-17. Shifted release of advisory to 2018-04-17.
2018-04-12: Informed the contact that the advisory will be released in few days.
2018-04-17: Asked the vendor if ZLD 4.31 was released. Didn’t find the new version on the customer portal. E-mail was blocked and returned.
2018-04-18: Found the new version (ZLD 4.31) on the customer portal.
2018-04-24: Advisory release.

Solution

Install firmware version ZLD 4.31 from the vendor’s website to fix this issue:

https://www.zyxel.com/support/download_landing.shtml

Workaround

Restrict network access to the device.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF T.  Weber/ @2018

Project Details

  • TitleReflected Cross-Site Scripting
  • ProductZyxel ZyWALL
  • Vulnerable versionZLD 4.30 and before
  • Fixed versionZLD 4.31
  • CVE number-
  • ImpactMedium
  • Homepagehttps://www.zyxel.com
  • Found2018-02-05
  • ByT. Weber (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back