(Information About a Fixed Version) Re: Some ZyXEL Prestige Routers Allow Remote Telnet and FTP Access to the Device in the Default Configuration
SecurityTracker Alert ID: 1002186|
SecurityTracker URL: http://securitytracker.com/id/1002186
(Links to External Site)
Date: Aug 13 2001
Root access via network|
Fix Available: Yes |
Version(s): ZyXEL Prestige 642R and 642R-I, V2.50(AJ.4), V2.50(AL.1), V2.50(AL.2)b2|
A configuration vulnerability was reported in some ZyXEL Prestige routers that allows remote users to access the router's Telnet and FTP services in the default configuration.|
In the default configuration, the P642R and P642R-I ADSL routers have the administrative Telnet and FTP services exposed on the WAN (Internet) side. In addition, a common default password is used. It is reported that a significant proportion of users do not change the default password. This allows a remote user to access the device and make modifications to the device's configuration and firmware.
Since the release of firmware version AJ.3, WAN side filters for Telnet and FTP are apparently intended to be in place in the default configuration. However, that is not the case.
It is reported that the ZyXEL Prestige 642M is not vulnerable.
The P642R and 642R-I models when used in "bridge mode" with PPPoE are reported to be not vulnerable.
A remote user can gain administrative access to the router when in the default configuration. Administrative access allows the user to make configuration changes and upload new firmware.|
The author of the original report notes that the vendor has added and applied a working filter rule and changed the default filtering configuration. The default password did not change. As of firmware 2.50(AJ.4) for the 642R, released in July, there is reportedly a filter rule active in the default configuration that blocks incoming ports 21/tcp, 23/tcp, 80/tcp, and 69/udp on the WAN side.|
Vendor URL: www.zyxel.com/ (Links to External Site)
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Sat, 11 Aug 2001 21:23:13 +0200|
Subject: Re: ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password
A hopefully last update on the P642R(-I) story from my side:
It seems that ZyXEL was notified of the open services on the WAN
side in June, by Sean Boran <firstname.lastname@example.org>. They seemed to have
added and applied a working filter rule after a lengthy
discussion, without public notification of the issue. They did not
make "not listening" a firmware option; they just changed the
default filtering configuration. They did not change the default
password either (not that I'd have seriously expected them to).
As of firmware 2.50(AJ.4) for the 642R, released in July, there
seems to be a filter rule active in default configuration, which
blocks incoming ports 21/tcp, 23/tcp, 80/tcp (why http?!) and
69/udp on the WAN side.
There seems to be no stable fixed firmware release for the 642R-I
yet, but the latest beta might be fixed. Unfortunately it comes
without release notes for some reason, which would have told what
its default settings are.
The firmware releases I stated in my original posting were -not-
accurate. With my current knowledge, I would say that no firmware
older than July is fixed; but latest (beta) firmware releases
should have the filters, if the configuration rom-file is applied
too when updating the firmware (which will trash the current
configuration). However, it seems that latest available firmware
releases differ considerably between countries and ZyXEL
distributors, and I can not be certain that the default
configurations are the same worldwide, as some distributors seem
to customly configure the Prestiges for ISP's who resell them.
I hope ZyXEL can deliver a more accurate statement as to which
firmware releases have the working filter in place.
Daniel Roethlisberger <email@example.com>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED