(Info on Additional Vulnerable Models) Re: Some ZyXEL Prestige Routers Allow Remote Telnet and FTP Access to the Device in the Default Configuration
SecurityTracker Alert ID: 1002208|
SecurityTracker URL: http://securitytracker.com/id/1002208
(Links to External Site)
Date: Aug 17 2001
Root access via network|
Version(s): ZyXEL Prestige 642R and 642R-I, V2.50(AJ.4), V2.50(AL.1), V2.50(AL.2)b2; also ZyXEL Prestige 100, 202|
A configuration vulnerability was reported in some ZyXEL Prestige routers that allows remote users to access the router's Telnet and FTP services in the default configuration.|
In the default configuration, the P642R and P642R-I ADSL routers have the administrative Telnet and FTP services exposed on the WAN (Internet) side. In addition, a common default password is used. It is reported that a significant proportion of users do not change the default password. This allows a remote user to access the device and make modifications to the device's configuration and firmware.
Since the release of firmware version AJ.3, WAN side filters for Telnet and FTP are apparently intended to be in place in the default configuration. However, that is not the case.
It is reported that the ZyXEL Prestige 642M is not vulnerable.
The P642R and 642R-I models when used in "bridge mode" with PPPoE are reported to be not vulnerable.
A remote user can gain administrative access to the router when in the default configuration. Administrative access allows the user to make configuration changes and upload new firmware.|
Users can apply the FTP_WAN and TELNET_WAN filter rules to block incoming connections to ports 21 and 23. This can reportedly be done by hooking filter rules 3 and 5 into the Remote Node Setup (menu 11.1 -> 11.5), like so:|
Menu 11.5 - Remote Node Filter
Input Filter Sets:
Output Filter Sets:
Vendor URL: www.zyxel.com/ (Links to External Site)
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Wed, 15 Aug 2001 20:47:02 +0200|
Subject: BID 3161: other ZyXEL Prestige routers affected too
I've received word that the ZyXEL Prestige 202 router has its
administrative telnet/FTP services open on the WAN side too, and
preconfigured filters are not applied and do not work properly if
applied as-is. In addition, I was able to check out an oldish
Prestige 100, and it too was vulnerable, same situation.
I suspect that the vast majority of ZyXEL Prestige family routers
have this problem. It is less of a problem with non-DSL routers
that are not online 24/7, but it is still dangerous enough in any
case. The issue must have been around for years...
The latest vulnerability info for BID 3161 is now:
ZyXEL Prestige 100
ZyXEL Prestige 202
ZyXEL Prestige 642R
ZyXEL Prestige 642R-I
ZyXEL Prestige 642M
ZyXEL Prestige 642M-I
If you have access to a ZyXEL router, check whether admin services
are open to the Internet, and let me know about the results. Thanks.
Daniel Roethlisberger <email@example.com>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED