Zyxel security advisory for vulnerabilities related to the Free Time feature
CVE: CVE-2019-12581, CVE-2019-12583
Summary
Zyxel security firewalls and hotspot gateways that support the Free Time WiFi hotspot feature are susceptible to a cross-site scripting and a security misconfiguration vulnerability. Users are advised to install the applicable hotfixes for optimal protection.
What is the vulnerability?
A reflected cross-site scripting vulnerability had previously been identified in the "free_time_failed.cgi" program in specific security firewalls and hotspot gateways equipped with hotspot functionality. The vulnerability could allow an attacker to obtain browser cookies of the hotspot guest user account without authentication.
A security misconfiguration vulnerability, recently found in the "free_time.cgi" program, could allow an attacker to generate guest accounts even if the Free Time feature is disabled.
It is important to note that the hotspot guest user account is solely designed to provide hotspot guest users with temporary internet access on certain select web pages. It is the least-privileged account of the affected devices, and the hotspot user group is entirely independent and isolated from the device administrative user group in our design. By default, our firewall policy would block hotspot users from accessing the device's administrative interface. This means even if the vulnerability is exploited, the attacker will not be able to remotely access or change the administrative settings of the device.
What should you do?
We’ve identified the vulnerable products, as listed in the table below and will release hotfix or standard patch firmware to fix the issue. We urge users to install them for optimal protection.
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.
Acknowledgement
- Patrik Fábián
- Nicolas Thumann
https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ - Thomas Weber, SEC Consult Vulnerability Lab
https://www.sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html
Revision history
2018-04-17: Initial release
2019-06-27: Added the security misconfiguration vulnerability details and updated the list of affected models
2019-11-04: Modified the firmware release schedule due to a bug in the previous patch firmware