Recently found vulnerabilities identified in note VU#870744 from the CERT Vulnerability Notes Database reveal security issues affecting ZyXEL products. ZyXEL is aware of the vulnerabilities, which affect three products. ZyXEL assures customers that the remaining ZyXEL products currently on the market are not impacted. Solutions specific to each vulnerability are as follows:
ZyXEL suggests users of all products change the default password upon initial log-in. This is critical to protecting your network by keeping any unauthorized users from gaining access via the default password. ZyXEL has included reminders for this practice on a majority of products. Changing the default password upon initial log-in is mandatory for the ZyXEL USG/ZyWALL, UAG, and LTE Series.
Model P660HW-T1 v2 (ZyNOS V3.40) was designated “end-of-life” on May 14, 2010. ZyXEL assigns a product an “end-of-life” status when there is a clear indication that the market has transitioned to its replacement. This replacement generally offers advanced technology and/or better economics.
ZyXEL recommends users replace P660HW-T1 v2 with newer generations of DSL CPEs that better suit the network environment today. Or alternatively, as a good general security practice, ZyXEL suggests that users avoid visiting untrusted sites or clicking on unsolicited links. It is also recommended that users keep their browser, computer operating system, and security software current with the latest patches and updates.
This issue was patched via a firmware update in December 2014 [version v1.00(AANC.2)C0], which included feature enhancements, as well as bug and security fixes. ZyXEL recommends that users go to the support site to obtain the latest update.
CVE-2015-6019 & CVE-2015-6020:
ZyXEL has identified the root causes and will release a patch for PMG5318-20A in October 2015 to solve the session expiration and authorization issues.
|Vulnerability||Affected Model||Status & Fix|
|PMG5318-B20A||Suggest users to change default password upon initial log-in|
|CVE-2015-6018||PMG5318-B20A||Issue already fixed in Dec. 2014 via firmware v1.00(AANC.2)C0|
|CVE-2015-6019||PMG5318-B20A||Fix available in October 2015|
|CVE-2015-6020||PMG5318-B20A||Fix available in October 2015|
Please contact your local service or sales representative if you require any further assistance.