---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: ZyXEL Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29036 VERIFY ADVISORY: http://secunia.com/advisories/29036/ CRITICAL: Less critical IMPACT: Hijacking, Security Bypass, Privilege escalation WHERE: >From local network OPERATING SYSTEM: ZyXEL Prestige 66x Series http://secunia.com/product/11155/ ZyXEL ZyNOS 3.x http://secunia.com/product/149/ DESCRIPTION: Adrian Pastor has reported some vulnerabilities in ZyXEL products, which can be exploited by malicious users to gain escalated privileges and by malicious people to bypass certain security restrictions or to hijack user sessions. 1) An error in the authentication handling within the web interface can be exploited to perform certain actions with administrative privileges by accessing certain URLs directly. Successful exploitation requires "user" access to the interface. The vulnerability is reported in the following products and versions. Other versions may also be affected: P-660H-D1 / ZyNOS firmware version: V3.40(AGD.2) P-660H-D3 / ZyNOS firmware version: V3.40(AHZ.0) P-660HW-D1 / ZyNOS firmware version: V3.40(AGL.3) P-661HW-D1 / ZyNOS firmware version: V3.40(ATM.0) P-661HW-D1 / ZyNOS firmware version: V3.40(AHQ.0) P-661HW-D1 / ZyNOS firmware version: V3.40(AHQ.3) 2) The session handling within the web interface relies only on the IP address of the client. This can be exploited to hijack an administrative user's session. The vulnerability is reported in the following products and versions. Other versions may also be affected: P-660H-61 / ZyNOS firmware version: V3.40(PE.9) P-660H-D1 / ZyNOS firmware version: V3.40(AGD.2) P-660H-D3 / ZyNOS firmware version: V3.40(AHZ.0) P-660HW-D1 / ZyNOS firmware version: V3.40(AGL.3) P-660HW-D1 / ZyNOS firmware version V3.40(AGL.4) P-660HW-T1 / ZyNOS firmware version: V3.40(ACI.6) P-660R-T1 / ZyNOS firmware version: v2 V3.40(AGJ.3) P-661HW-D1 / ZyNOS firmware version: V3.40(AHQ.0) P-661HW-D1 / ZyNOS firmware version: V3.40(ATM.0) P-661HW-D1 / ZyNOS firmware version: V3.40(AHQ.3) P-662HW-D1 / ZyNOS firmware version: V3.40(AGZ.3) P-662HW-D1 / ZyNOS firmware version: V3.40(AGZ.4) 3) An error in the authentication handling can be exploited to gain access to the administration interface via replay attacks. The vulnerability is reported in the following products and versions. Other versions may also be affected: P-660H-61 / ZyNOS firmware version: V3.40(PE.9) P-660H-D1 / ZyNOS firmware version: V3.40(AGD.2) P-660H-D3 / ZyNOS firmware version: V3.40(AHZ.0) P-660HW-D1 / ZyNOS firmware version: V3.40(AGL.3) P-660HW-D1 / ZyNOS firmware version V3.40(AGL.4) P-660HW-T1 / ZyNOS firmware version: V3.40(ACI.6) P-660R-T1 v2 / ZyNOS firmware version: V3.40(AGJ.3) P-660R-T1 / ZyNOS firmware version: v2 V3.40(AGJ.3) P-661HW-D1 / ZyNOS firmware version: V3.40(AHQ.0) P-661HW-D1 / ZyNOS firmware version: V3.40(ATM.0) P-661HW-D1 / ZyNOS firmware version: V3.40(AHQ.3) P-662HW-D1 / ZyNOS firmware version: V3.40(AGZ.3) P-662HW-D1 / ZyNOS firmware version: V3.40(AGZ.4) SOLUTION: Grant only trusted users access to the "user" account. Use the device only in a trusted network environment. PROVIDED AND/OR DISCOVERED BY: Adrian Pastor, ProCheckUp ORIGINAL ADVISORY: http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------