Zyxel is aware of the recently disclosed reflected cross-site scripting vulnerability on selected ZyWALL/USG models, as disclosed on SEC Consult Blog. Zyxel has immediately launched an investigation upon becoming aware of it.
What is the vulnerability?
A reflected cross-site scripting vulnerability was identified in the “free_time_failed.cgi' CGI program in selected ZyWALL/USG devices equipped with hotspot functionality. The vulnerability could allow an attacker to obtain browser cookies of the hotspot guest user account without authentication.
It is important to note that the hotspot guest user account of ZyWALL/USG devices is solely designed to provide hotspot guest users with temporary Internet access on certain selected web pages. It is the least-privileged account of the ZyWALL/USG devices, and the hotspot user group is entirely independent and isolated from the device administrative user group in our design. By default, our firewall policy would block the hotspot user group to access the device administrative interface. This means even if the vulnerability is being exploited, the attacker will not be able to remotely access or change the administrative settings on ZyWALL/USG devices.
What Zyxel products are impacted?
ZyWALL/USG110, 210, 310, 1100, 1900 and 2200-VPN with firmware version ZLD 4.30 and before.
How is Zyxel resolving it?
The patch is now available in firmware ZLD4.31 released on 18-Apr 2018.
Please contact your local service representatives if you require further information or assistance. To report a vulnerability, please contact firstname.lastname@example.org
Thomas Weber, SEC Consult Vulnerability Lab
Initial release 2018-04-25