Zyxel security advisory for Web CGI vulnerability of gateways and access point controllers
Summary
Zyxel gateways and access point controllers are affected by a Web CGI vulnerability. Users are advised to upgrade to the latest available firmware or hotfix for optimal protection.
What’s the vulnerability?
A Web CGI vulnerability was identified in Zyxel gateways and access point controllers that did not authenticate external DNS requests in their redirect CGI program. The vulnerability could allow an unauthenticated individual to spam an internal service or probe whether domain names are present on the internal network behind the firewall, which could result in internal DNS information disclosure.
What products are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the affected products, as listed in the table below. For optimal protection, we strongly urge users to install the applicable firmware patches or hotfixes.
| Affected model | Hotfix | Standard firmware release |
|---|---|---|
| ATP200 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| ATP500 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| ATP800 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| UAG2100 | ZLD4.18 Wk29 available now* | - |
| UAG4100 | ZLD4.18 Wk29 available now* | - |
| USG20-VPN | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG20W-VPN | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG40 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG40W | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG60 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG60W | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG110 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG210 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG310 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG1100 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG1900 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| USG2200 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| VPN50 | SD-OS 10.02 Wk34 available now* | ZLD4.35 in Jan. 2020 |
| VPN100 | SD-OS 10.02 Wk34 available now* | ZLD4.35 in Jan. 2020 |
| VPN300 | SD-OS 10.02 Wk34 available now* | ZLD4.35 in Jan. 2020 |
| ZyWALL110 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| ZyWALL310 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| ZyWALL1100 | ZLD4.33 Wk30 available now* | ZLD4.35 in Oct. 2019 |
| NXC2500 | - | 5.40(AAIG.2)C0 |
| NXC5500 | - | 5.40(AAOS.2)C0 |
*Contact your local Zyxel support team for the hotfix file.
Acknowledgment
Thanks to Thomas Weber at SEC Consult for reporting this vulnerability to us.
Revision history
Initial release 2019-8-29