what you don't know can hurt you

Zyxel NWA/NAP/WAC Hardcoded Credentials

Zyxel NWA/NAP/WAC Hardcoded Credentials
Posted Aug 30, 2019
Authored by T. Weber | Site sec-consult.com

An FTP service runs on the Zyxel wireless access point that contains the configuration file for the WiFi network. This FTP server can be accessed with hard-coded credentials that are embedded in the firmware of the AP. When the WiFi network is bound to another VLAN, an attacker can cross the network by fetching the credentials from the FTP server.

tags | exploit
MD5 | 732ba97c2b92f9c52f82438a5b2e62cb

Zyxel NWA/NAP/WAC Hardcoded Credentials

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20190829-0 >
=======================================================================
title: Hardcoded FTP Credentials
product: Zyxel NWA/NAP/WAC wireless access point series
vulnerable version: see "Vulnerable / tested version"
fixed version: see "Solution"
CVE number: -
impact: medium
homepage: https://www.zyxel.com
found: 2019-06-19
by: Thomas Weber (Office Vienna)
IoT Inspector
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.

We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml



Business recommendation:
------------------------
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.


Vulnerability overview/description:
-----------------------------------
1) Hardcoded FTP Credentials
An FTP service runs on the Zyxel wireless access point that contains the
configuration file for the WiFi network. This FTP server can be accessed with
hardcoded credentials that are embedded in the firmware of the AP.
When the WiFi network is bound to another VLAN, an attacker can cross the
network by fetching the credentials from the FTP server.

The credentials were found by doing an automated scan with IoT Inspector.


Proof of concept:
-----------------
1) Hardcoded FTP Credentials
The username "devicehaecived" and the password "1234" can be used to access the
FTP server of the AP on port 21.

The content of the FTP server looks like the following listing:
-------------------------------------------------------------------------------
$ ls
cert conf debug idp packet_trace script tmp wtp_image
-------------------------------------------------------------------------------
The directory "conf" contains all configuration files which store the WiFi
SSIDs and passphrases.


Vulnerable / tested versions:
-----------------------------
The following versions have been manually tested and were automatically
verified with IoT Inspector:
Zyxel NWA5121-NI 5.50 patch 0 and earlier
Zyxel NWA5121-N 5.50 patch 0 and earlier

The vendor provided the following list of affected devices:
Zyxel WAC6103D-I 5.50 patch 0 and earlier
Zyxel WAC6303D-S 5.50 patch 0 and earlier
Zyxel WAC6502D-E 5.50 patch 0 and earlier
Zyxel WAC6502D-S 5.50 patch 0 and earlier
Zyxel WAC6503D-S 5.50 patch 0 and earlier
Zyxel WAC6553D-E 5.50 patch 0 and earlier
Zyxel WAC6552D-S 5.50 patch 0 and earlier
Zyxel WAC5302D-S 5.50 patch 0 and earlier
Zyxel NWA5123-AC 5.50 patch 0 and earlier
Zyxel NWA5123-AC HD 5.50 patch 0 and earlier
Zyxel NWA5123-NI 5.50 patch 0 and earlier
Zyxel NWA5301-NJ 5.50 patch 0 and earlier
Zyxel NWA1302-AC 5.50 patch 0 and earlier
Zyxel NWA1123-ACv2 5.50 patch 0 and earlier
Zyxel NWA1123-AC HD 5.50 patch 0 and earlier
Zyxel NWA1123-AC PRO 5.50 patch 0 and earlier
Zyxel NAP102 5.50 patch 0 and earlier
Zyxel NAP203 5.50 patch 0 and earlier
Zyxel NAP303 5.50 patch 0 and earlier
Zyxel NAP353 5.50 patch 0 and earlier


Vendor contact timeline:
------------------------
2019-06-26: Contacting vendor through security@zyxel.com.tw.
2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor
confirmed receipt.
2019-07-03: Asked for an update; Vendor told that they just finished their
investigation.
2019-07-09: Vendor provided a full list of devices that are prone to this
vulnerability.
2019-07-23: Asked for a timeline; Vendor asked to shift the release of the
advisory to 2019-08-29 in order to provide fixes; Shifted advisory
release to this date.
2019-08-26: Asked for a status update; Vendor told that fixes are ready to be
published at 2019-08-29.
2019-08-29: Coordinated advisory release.


Solution:
---------
Install the newest firmware for your device from the vendor's website
to fix this issue:

https://www.zyxel.com/support/download_landing.shtml

Additionally, the vendor provides the following security notice:
https://www.zyxel.com/support/hardcoded-FTP-credential-vulnerability-of-access-points.shtml


Workaround:
-----------
Restrict network access to the web interface.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2019

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    3 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close