ZyXEL Information for VU#870744
ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities
ZyXEL has also provided the following responses:
"ZyXEL suggests users of all products change the default password upon initial log-in. This is critical to protecting your network by keeping any unauthorized users from gaining access via the default password. ZyXEL has included reminders for this practice on a majority of products. Changing the default password upon initial log-in is mandatory for the ZyXEL USG/ZyWALL, UAG, and LTE Series."
"Model P660HW-T1 v2 (ZyNOS v3.40) was designated "end-of-life" on May 14, 2010. ZyXEL assigns a product an "end-of-life" status when there is a clear indication that the market has transitioned to its replacement. This replacement generally offers advanced technology and/or better economics.
ZyXEL recommends users replace P660HW-T1 v2 with newer generations of DSL CPEs that better suit the network environment today. Or alternatively, as a good general security practice, ZyXEL suggests that users avoid visiting untrusted sites or clicking on unsolicited links. It is also recommended that users keep their browser, computer operating system, and security software current with the latest patches and updates."
"This issue was patched via a firmware update in December 2014 (version v1.00(AANC.2)C0), which included feature enhancements, as well as bug and security fixes. ZyXEL recommends that users go to the support site to obtain the latest update."
For CVE-2015-6019 and CVE-2015-6020:
"ZyXEL has identified the root causes and will release a patch for PMG5318-20A in October 2015 to solve the session expiration and authorization issues."
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.