Security Experts:

Multiple Vulnerabilities Impact ZyXEL Customized Routers

Various ZyXEL customized routers are plagued by several vulnerabilities and by default login credentials, SecuriTeam security researchers warn.

The flaws were found in the equipment distributed by TrueOnline, a major Internet Service Provider in Thailand. The company provides its customers with customized versions of routers, free of charge, all of which feature default accounts and passwords that put their users at risk.

Manufactured by ZyXEL, the routers run a special version of Linux called “tclinux,” with three models being particularly widespread, namely ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, and Billion 5200W-T. While P660HN-T v1 was distributed up until 2013, the 5200W-T models is currently being distributed to new clients, Securi reveals.

The discovered vulnerabilities, which have been reported by an independent security researcher, include an unauthenticated remote command execution vulnerability in P660HN-T v1; unauthenticated remote command execution and authenticated remote command execution flaws in Billion 5200W-T; and an unauthenticated remote command execution vulnerability in P660HN-T v2.

In addition to these issues, all three models come with default accounts and passwords that can be leveraged by an attacker to gain access to the vulnerable device.

“These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server. The routers are vulnerable via command injections in its web interface, which can be exploited by an unauthenticated as well as an authenticated attacker,” Securi warns in an advisory.

The P660HN-T v1 is affected by a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log, in the remote_host parameter on the ViewLog.asp page, which is accessible unauthenticated. The router also contains the following default credentials: username: admin, password: password; and username: true, password: true.

The Billion 5200W-T router is affected by an unauthenticated command injection in the adv_remotelog.asp file. The flaw was found in the syslogServerAddr parameter that can be exploited by entering a valid IP address, followed by “;<COMMAND>;”.

The router is also plagued by authenticated command injections in the interface tools_time.asp with the uiViewSNTPServer parameter. Additionally, the device includes the following default accounts: username: admin, password: password; username: true, password: true; username: user3, password:

123456789012345678901234567890123456789012...

34567890123456789012345678901234567890123456789...

012345678901234567890123456789012345678.

The P660HN-T v2 router, researchers say, is plagued by a remote command vulnerability composed from an authenticated command injection and a hardcoded supervisor password. The command injection vulnerability affects the logSet.asp file, while the hardcoded supervisor credentials are username: supervisor; password: zyad1234.

The security researchers note that the command that can be injected has a length limitation of 28 characters and that other default accounts are also present on the device. These include username: admin; password: password, and username: true; password: true.

Securi notes that ZyXEL was informed about these vulnerabilities in July 2016. Although the researchers attempted numerous times to re-establish contact and receive information on the status of the patches for these vulnerabilities, the company didn’t respond as of now, the researchers also say. No workaround for these flaws exists yet.

Last week, NETGEAR WNR2000 routers were found vulnerable to 0-day flaws that could result in an attacker taking full control of the impacted devices. After the vulnerability went public, NETGEAR contacted SecurityWeek to confirm that it was already working on a firmware update to address the issue.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices: Study

view counter