Zyxel ZyWALL ZLD 4.30 Cross Site Scripting

Zyxel ZyWALL ZLD versions 4.30 and below suffer from a cross site scripting vulnerability.


MD5 | 4ff1882ff71af9364621432c7b64502c

SEC Consult Vulnerability Lab Security Advisory < 20180424-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: Zyxel ZyWALL: see "Vulnerable / tested version"
vulnerable version: ZLD 4.30 and before
fixed version: ZLD 4.31
CVE number: -
impact: Medium
homepage: https://www.zyxel.com
found: 2018-02-05
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.

We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource a we are Zyxel, Your Networking Ally."

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml


Business recommendation:
------------------------
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross-Site Scripting (XSS)
A reflected cross-site scripting vulnerability was identified in
'free_time_failed.cgi' in the admin interface. The parameter 'err_msg' is
returned without any sanitization of the input. An attacker, for example,
can exploit this vulnerability to steal cookies from the attacked user in
order to hijack a session and gain access to the device.


Proof of concept:
-----------------
1) Reflected Cross-Site Scripting (XSS)
By opening the following link, contents of the 'arip' and 'zy_pc_browser'
cookies will be displayed.

http://<IP-Address>/free_time_failed.cgi?err_msg=<script>alert(document.cookie);</script>
https://<IP-Address>/free_time_failed.cgi?err_msg=<script>alert(document.cookie);</script>


Vulnerable / tested versions:
-----------------------------
The following versions are affected:
Zyxel ZyWall USG 110 ZLD 4.30 and earlier
Zyxel ZyWall USG 210 ZLD 4.30 and earlier
Zyxel ZyWall USG 310 ZLD 4.30 and earlier
Zyxel ZyWall USG 1100 ZLD 4.30 and earlier
Zyxel ZyWall USG 1900 ZLD 4.30 and earlier
Zyxel ZyWall USG 2200-VPN ZLD 4.30 and earlier


Vendor contact timeline:
------------------------
2018-02-07: Contacting vendor through [email protected]
2018-02-08: Vendor responded with contact information and a PGP key.
Sent the encrypted advisory to the contact.
2018-02-09: Contact confirmed that the advisory was received.
2018-02-16: Contact confirmed the vulnerability and stated that the ZyWALL series
is vulnerable to the reported vulnerability. The contact also stated
that the vulnerability will be fixed until the end of March.
Requested more information regarding version numbers and other
affected devices.
2018-02-23: Contact confirmed that the devices are vulnerable in firmware version
4.30 and before.
2018-03-21: Contact informed us that the new firmware version will be ZLD 4.31
and that it will be released on 2018-04-17. Shifted release of
advisory to 2018-04-17.
2018-04-12: Informed the contact that the advisory will be released in few days.
2018-04-17: Asked the vendor if ZLD 4.31 was released. Didn't find the new version
on the customer portal. E-mail was blocked and returned.
2018-04-18: Found the new version (ZLD 4.31) on the customer portal.
2018-04-24: Advisory release.


Solution:
---------
Install firmware version ZLD 4.31 from the vendor's website to fix this issue:

https://www.zyxel.com/support/download_landing.shtml


Workaround:
-----------
Restrict network access to the device.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2018


Related Posts