Zyxel security advisory for insufficient entropy vulnerability of GS1900 series switches

CVE: CVE-2022-34746

Summary

Zyxel has released patches for GS1900 series switches affected by an insufficient entropy vulnerability. Users are advised to install them for optimal protection.

 

What is the vulnerability?

An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series switches. This vulnerability could allow an attacker to retrieve a private key by factoring the RSA modulus N in the certificate of the web administration interface. In addition, the attacker could use the private key to decrypt TLS-secured connections or impersonate the certificate owner.

 

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.

Affected model Affected version Patch availability
GS1900-8 V2.60(AAHH.4)C0 V2.70(AAHH.3)C0
GS1900-8HP V2.60(AAHI.4)C0 V2.70(AAHI.3)C0
GS1900-10HP V2.60(AAZI.4)C0 V2.70(AAZI.3)C0
GS1900-16 V2.60(AAHJ.4)C0 V2.70(AAHJ.3)C0
GS1900-24 V2.60(AAHL.4)C0 V2.70(AAHL.3)C0
GS1900-24E V2.60(AAHK.4)C0 V2.70(AAHK.3)C0
GS1900-24EP V2.60(ABTO.4)C0 V2.70(ABTO.3)C0
GS1900-24HPv2 V2.60(ABTP.4)C0 V2.70(ABTP.3)C0
GS1900-48 V2.60(AAHN.4)C0 V2.70(AAHN.3)C0
GS1900-48HPv2 V2.60(ABTQ.4)C0 V2.70(ABTQ.3)C0
 

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

 

Acknowledgment

Thanks to the following researchers for reporting the issue to us:

  • Chris Papathanasiou and Kyprianos Vasilopoulos from Panthera Labs
  • Maximilian Radoy, Sven Hebrok, Robert Merget, and Juraj Somorovsky from Paderborn University
  • CERT-Bund, the Computer Emergency Response Team for Germany's federal authorities
 

Revision history

2022-09-20: Initial release