Zyxel security advisory for GS1900 switch vulnerabilities

Zyxel小編 Lucious
Zyxel小編 Lucious Posts: 278  Zyxel Employee
First Anniversary Friend Collector First Answer First Comment
edited January 2021 in Security Advisories

CVE: CVE-2019-15799; CVE-2019-15800; CVE-2019-15801; CVE-2019-15802; CVE-2019-15803; CVE-2019-15804

Summary

Zyxel has released firmware updates for recently discovered vulnerabilities of the GS1900 switches and urges users to install them immediately for optimal protection.

What is the vulnerability?

Zyxel GS1900 series switches running firmware version 2.40 and earlier have the following vulnerabilities:

-      CVE-2019-15799: Incorrect access control for the full administrative level access via SSH for unprivileged users.

-      CVE-2019-15800: Improper input validation related to the functions of libclicmd.so library.

-      CVE-2019-15801: Contains fixed encrypted passwords for accessing debug and diagnostic functions.

-      CVE-2019-15802: Use of hard-coded Cryptographic Key for password encryption.

-      CVE-2019-15803: Hidden Functionality for the diagnostics shell via CTRL-ALT-t.

-      CVE-2019-15804: Hidden Functionality for the password recovery menu via SIGQUIT.

-      Allows an SSH session to be established without authentication, which by extension allows tunnelling and use of the affected device as a proxy.

However, an attacker cannot exploit CVE-2019-15799 to CVE-2019-15804 vulnerabilities unless he/she possesses a user’s privileged account and access via SSH.

What should you do?

A thorough investigation has confirmed that GS1900 series switches are Zyxel’s only affected models. The latest firmware addressing the vulnerabilities are listed in the table below, and we urge users to install them immediately.

Device | Latest firmware version

GS1900-8 2.50(AAHH.0)C0

GS1900-8HP 2.50(AAHI.0)C0

GS1900-10HP 2.50(AAZI.0)C0

GS1900-16 2.50(AAHJ.0)C0

GS1900-24E 2.50(AAHK.0)C0

GS1900-24 2.50(AAHL.0)C0

GS1900-24HP 2.50(AAHM.0)C0

GS1900-48 2.50(AAHN.0)C0

GS1900-48HP 2.50(AAHO.0)C0

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.

Acknowledgment

Thanks to the following researchers for reporting the issues to us:

-      Jasper Lievisse Adriaanse

https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

https://vimeo.com/354726424

-      Rob J. Epping

Revision history

2019-11-14: Initial release