Several models of ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting.
CWE-255: Credentials Management - CVE-2015-6016
According to the reporter, the following models contain the weak default password of "1234" for the admin account:
Many more models have been reported to share this same password.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-6017
According to the reporter, a reflected cross site scripting vulnerability exists in the LoginPassword and hiddenPassword parameters of the /Forms/rpAuth_1 page on the ZyXEL P-660HW-T1 v2 with ZyNOS firmware version: V3.40(AXH.0) (dated 3/30/2007).
CWE-20: Improper Input Validation - CVE-2015-6018
According to the reporter, the diagnostic ping function's PingIPAddr parameter in the ZyXEL PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user input. An attacker may be able to execute arbitrary commands as root.
CWE-613: Insufficient Session Expiration - CVE-2015-6019
According to the reporter, the ZyXEL PMG5318-B20A, firmware version V100AANC0b5 does not properly expire the session when a user logs out of the management portal. The reporter has confirmed the session remains active for at least 1 hour after log off. An attacker may be able to utilize session information to gain access to the device even after the user has logged off.
CWE-285: Improper Authorization - CVE-2015-6020
According to the reporter, the regular user account on the ZyXEL PMG5318-B20A, firmware version V100AANC0b5 has full administrative access, rather than restricted access.
A remote unauthenticated attacker may be able to modify system configuration.
Apply updates and other changes
Thanks to Joel Land for reporting the vulnerability in the NBG-418N. Thanks to Karn Ganeshen for reporting the remaining vulnerabilities to us.
This document was written by Garret Wassermann.