A new vulnerability that allows intruders to remotely manipulate client premise equipment (CPEs) with administrative privileges was disclosed in December 2014. CVE-2014-9222* and CVE-2014-9223* – also known as the “Misfortune Cookie” Vulnerability, present a security weakness in the residential CPEs and the devices connected to it, allowing potential exploitation such as data theft or malware infection.
ZyXEL is well aware of the vulnerability and assures our customers that only a limited number of ZyXEL models mentioned are affected, and their firmware updates will be released as shown in the table below. Addressing the list of ZyXEL models mentioned, several have already been provided additional protection with a new firmware update, while the great majority are currently “end-of-life” status.
Below find a list of current ZyXEL models on the market and the relevance of the newly discovered vulnerability. We recommend customers update the product firmware to its latest version as a measure to ensure maximum protection from all types of potential Internet intrusions and attacks.
*CVE-2014-9222 presents an authentication bypass vulnerability that allows unauthorized users to gain privileges remotely via a crafted cookie that triggers memory corruption.
*CVE-2014-9223 presents a buffer overflow vulnerability that allows unauthorized users to send a crafted request remotely and cause a denial of service.