The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users 

Earlier this year, the SEC Consult Vulnerability Lab published a technical security advisory on different critical vulnerabilities in Zyxel devices, resulting from insecure coding practices and insecure configuration. Those also included a highly critical unauthenticated buffer overflow in the proprietary web server which allowed remote root access to the device.

A few weeks after our publication, Zyxel firewalls and VPNs made the news with another critical issue discovered by Jacob Baines, lead security researcher at Rapid7. Given the impact of the vulnerability and amount of exploitation attempts on businesses worldwide, people didn’t seem to care a lot about the „small“ buffer overflow situation found by Gerhard Hechenberger, Steffen Robertz, Thomas Weber and Stefan Viehböck.

 

What was it all about? 

By bypassing the ASLR security measure, our identified buffer overflow can be turned into an unauthenticated remote code execution on the affected Zyxel devices resulting in root permissions for the attacker. And the only prerequisite: network-level access to the web interface, e.g., via your Wi-Fi network but also via the Internet.

Upon responsible disclosure of the advisory in February 2022, we did remove the detailed proof of concept to give ISPs and end users worldwide more time to patch their affected devices. And there were a lot of them. With a few lines of code, an attacker could install backdoors on your router device, reroute traffic (a fun one, right?), sniff out other (maybe harder to crack) passwords for your online banking, social media accounts and basically any other data that is being sent in and out the network. And don't even get us started what you can do in case your router’s web interface is accessible from the Internet… 

What is the difference between the vulnerability published in May and our „smaller“ one from February? 

Actually, we do have a very similar effect here. The main difference is that the affected devices on our list are mostly used as CPE (customer premises equipment) devices at Internet Service Providers for individuals or small businesses and the firewalls being under attack in May were mainly used by larger companies. Also, more firewalls could be found and accessed over the Internet in comparison to the CPE devices. See the full list of affected devices provided by the vendor further down below. 

Why are you telling me this, now?

Everyone is so keen on improving cyber security in your network. But it only takes one device in your own four walls to open up a huge security gap. And it is not always your garage door or the fancy IoT web cam (e.g. the issues we found in HiKam that also got nominated for the Pwnie awards 2022). On that note, we recommend reading up on our top ten vulnerabilities here, which don‘t seem to ever get old here.

Remember the „few lines of code“ you’d need? Well, we just released our Metasploit module for the buffer overflow for Zyxel’s web server on Github. So, with the click of a button, you can test if your own device is already patched instead of waiting for a hacker to do all the fun things mentioned earlier. 

We’d really like you to check the list of affected products, some of which remain unpatched because they were considered end-of-life products (EOLs) by Zyxel. But a lot of products are used by not tech-savvy (so called „normal“) people worldwide, regardless of their product lifecycle. It can only be assumed how many of them will not be replaced by a newer (patched) model or get a manual update, thus remain most likely vulnerable.

If you happen to have a friend owning a coffee shop (or any other place with public Wi-Fi), you can invite them to run our provided Metasploit code there too and let them know that they urgently need to patch their routers. For your Wi-Fi security at home, making sure your passwords are strong and updated on a regular basis is a solid recommendation you should always keep in mind.

In a recent Censys.io scan for potentially vulnerable Zyxel products, we found over 5000 devices that seem to be accessible over the Internet. The affected numbers for locally exploitable devices are unknown to us.

How many users are still affected?

By searching for the affected device name string one can also filter for HTTP services. Most found devices have the Zyxel web interface exposed (besides other internal ports forwarded) and it seems the number of accessible devices is at least over 5000. This does not necessarily mean that they are all unpatched. But it is never a good idea to expose those admin interfaces directly on the Internet. Those queries and filters have been used which had to be split up because of the amount of devices:

 

Example scans for vulnerable Zyxel devices

(click on the images to see the results on search.censys.io, login required)

Over 34k Zyxel devices vulnerable in the UK

Out of curiosity, we created an HTML fingerprint for one router model for testing purposes (and found out, two router interfaces actually have the same hash). According to the scan results, over 36,000 routers' web interfaces can be found on the Internet, just by using a more specific search. Almost all of those routers are located in the UK. We have already informed the affected ISP that their devices might be exposing the admin interface on the Internet, probably because of their ISP standard configuration. It is reasonable to assume that with additional hashes for other product versions, you can potentially find many more unpatched devices.

More about the Metasploit module release

The Metasploit module will use the unauthenticated file read vulnerability (issue 2 in our advisory) to detect if a vulnerable firmware is running. This is a fairly stable marker as the buffer overflow targets the same undocumented functionality. The module will then overflow the buffer and guess the libc load address. If the guess is wrong, the web interface will crash. However, it will be restarted automatically after 5s. Thus, we can try our payload every 5s. In our, admittedly small, test scale of 25 runs we required an average run time of roughly 20min to get a root shell, The internet connection is not affected by the crashing webserver and hence isn’t drawing any attention. 

Affected EOL products

(list not necessarily complete) Those devices will not get an update:

AMG1302-T11C EOL
VMG3925-B10C EOL
VMG8924-B10D EOL
VMG1312-B10D EOL
VMG3312-T20A EOL
VMG3625-T20A EOL
VMG3925-B10B EOL
VMG3925-B10C EOL
VMG3925-B30C EOL
VMG3926-B10A EOL
VMG5313-B10B EOL
VMG5313-B30B EOL
VMG8623-T50A EOL
VMG8823-B10B EOL
VMG8823-B30B EOL
VMG8823-B50B EOL
VMG8823-B60B EOL
VMG8924-B10D EOL
VMG8924-B30D EOL
PMG5317-T20A EOL

List of affected devices

(and patch availability)

Affected product Model / Patch availability
CPE:  
DX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022
DX5401-B0 V5.17(ABYO.1)C0
EMG3525-T50B EMEA - V5.50(ABPM.6)C0 || S. America - V5.50(ABSL.0)b12 in Sep. 2022
EMG5523-T50B EMEA - V5.50(ABPM.6)C0 || S. America - V5.50(ABSL.0)b12 in Sep. 2022
EMG5723-T50K V5.50(ABOM.7)C0
EX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022
EX5401-B0 V5.17(ABYO.1)C0
EX5501-B0 V5.17(ABRY.2)C0
LTE3301-PLUS V1.00(ABQU.3)C0
LTE7240-M403 V2.00(ABMG.4)C0
VMG1312-T20B V5.50(ABSB.5)C0
VMG3625-T50B V5.50(ABPM.6)C0
VMG3927-B50A V5.17(ABMT.6)C0
VMG3927-B60A V5.17(ABMT.6)C0
VMG3927-T50K V5.50(ABOM.7)C0
VMG4005-B50A V5.15(ABQA.2)C0 in Mar. 2022
VMG8623-T50B V5.50(ABPM.6)C0
VMG8825-B50A V5.17(ABMT.6)C0
VMG8825-B50B V5.17(ABNY.7)C0
VMG8825-B60A V5.17(ABMT.6)C0
VMG8825-B60B V5.17(ABNY.7)C0
VMG8825-T50K V5.50(ABOM.7)C0
XMG3927-B50A V5.17(ABMT.6)C0
XMG8825-B50A V5.17(ABMT.6)C0
   
Firewall:  
VPN2S V1.20(ABLN.2)_00210319C1
   
ONT:  
AX7501-B0 V5.17(ABPC.1)C0
EP240P V5.40(ABVH.1)C0 in May 2022
PMG5317-T20B V5.40(ABKI.4)C0 in Apr. 2022
PMG5617GA V5.40(ABNA.2)C0 in Apr. 2022
PMG5622GA V5.40(ABNB.2)C0 in Apr. 2022
   
WiFi extender:  
WX3100-T0 V5.50(ABVL.1)C0 in Mar. 2022
WX3401-B0 V5.17(ABVE.1)C0
   
WiFi system:  
WSQ50 (Multy X) V2.20(ABKJ.7)C0
WSQ60 (Multy Plus) V2.20(ABND.8)C0
Illustration showing 3 step action plan to get your Zyxel router secured against vulnerabilities: Check for updates, then Patch or Replace.

What you can do now

As an end user

If your device is still vulnerable, urge your vendor or ISP to patch your device. In case your Zyxel device is on the list of EOL devices, consider changing to a newer model.

As a vendor, manufacturer or ISP

Secure products and services are your responsibility throughout the supply-chain. To help you achieve that goal, we’ve put together a few training and testing possibilities for you:

Secure Software Development Consulting

Software developers are often overwhelmed by the complexity of the threat landscape of modern systems and infrastructures. Failure to provide adequate support leads to vulnerable software and applications. As a result, companies can suffer costly security issues, legal and regulatory violations, and damage to their reputation and brand.

IoT and Embedded Systems Security

SEC Consult offers a full spectrum of security assessments, be it hardware, firmware, apps or IoT cloud platforms. Our experienced experts check all sorts of IoT devices as well as IoT ecosystems and embedded systems for vulnerabilities and security gaps.

SEC Trainings

Creating security awareness and improving the security skills of end users represents one of the foundations of information security. SEC Consult delivers trainings for different target groups based on best practices, state of the art security knowledge and real-life stories and experiences.

 

 

Interested in working with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.