WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS
Zyxel
security breaches on the Zyxel routers The flaw exists whaever the
version of microcode. I am currently using ZyNOS F/W Version:
V3.40(IU.4) | 10/11/2004 &
DSL FW Version: Alcatel, Version 3.9.122
First security breach: there is an extrimelly easy way to reload a
malicious microcode into a ZYXEL router and restart it from remote,
without going through the router signon !
Second security breach: ZYXEL router lets packets go to ports
eventhough the firewall is supposed to block them ...
Look at the below example: firewall rule number 4 says that all ports
related to Emaule should be "BLOCKed". If one look at the log file
file, one can see that all packets going to the Emule ports are in
fact "Forwarded" !!!
FIREWALL RULE NUMBER 4:
4 Y Any Any *Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
Block No Enable No
LOG FILE:
85 01/15/2005 00:14:03 Firewall rule match: TCP (L to W, rule:3)
192.168.0.5:4485 82.252.31.196:4662 ACCESS FORWARD
86 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3702 172.211.50.125:4662 ACCESS FORWARD
87 01/15/2005 00:14:02 Firewall rule match: UDP (L to W, rule:3)
192.168.0.5:4672 220.134.119.98:4672 ACCESS FORWARD
88 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3738 172.211.164.152:4662 ACCESS FORWARD
89 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3737 83.154.109.41:4662 ACCESS
Third security breach: ZYXEL router doesn't apply the "Block" or
"forward" instruction provided to the proper firewall rule number. If
you look at the above LOG extract you may see that the firewall lets
the packets go out because the ports match the rule number 3. In fact
when you look at rule number 3 (see below) you can see that not of the
ports refered to in the log are belonging to this rule ! ... but to
rule number ....4 !!!
This means that you may believe that you closed the ports related to
port number 4 while in fact they are wide open because the system is
looking at rule number 3 which have absolutly nothing to do with it.
FIREWAL RULE NUMBER 3:
3 Y Any Any *CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:20500)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610)
Forward No Enable No
Amazing the way the ZYXEL routers "works".
Any owner of a ZYXEL router here ? ... Let me know your IP ... I'd
like to pursue some other funy tests ...
I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
Regards
Duane Arnold
news:cbb9a93c.05011...@posting.google.com:
You can also look at the Hotbrick SOHO series as well. I think I am going
to get the 401W and configure it to be a wire/wireless switch AP and plug
it into the WG.
Duane :)
Arthur Hagen
> Look at the below example: firewall rule number 4 says that all ports
> related to Emaule should be "BLOCKed". If one look at the log file
> file, one can see that all packets going to the Emule ports are in
> fact "Forwarded" !!!
>
> FIREWALL RULE NUMBER 4:
> 4 Y Any Any
> *Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
> Block No Enable No
> FIREWAL RULE NUMBER 3:
> 3 Y Any Any
>
*CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:20500
)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610)
> Forward No Enable No
Are these rules for *incoming* or *outgoing*? I'm tempted to believe that
you've listed the rules for "WAN to LAN", while the traffic in the log is
for "LAN to WAN", and rule 3 is rule 3 in the other list.
> I will bring my ZYXEL router back tomorrow and buy something else. Any
> one has a recommendation ? something "solid" please ;-))
A brick.
--
*Art
Mungo
> Owners of ZYXEL routers must be informaed that there are major
> security breaches on the Zyxel routers The flaw exists whaever the
Strange. We test our various remote Zyxels periodically and have never seen
a security problem ( however, the earlier ones were very susceptible to DoS
caused by adjacent unshielded radio transmitters ). Zyxel received the ISCA
Cert 3 back in 2002 if I remember correctly.
Unfortunately, they don't come with the best of configuration instructions.
In fact, I don't remember them coming with ANY really coherent
instructions. It sounds like either you have configured it wrong or you
could have a defective unit.
There is a list of all the known issues with the Zyxel products at:
http://www.securityfocus.com/bid (search vendor Zyxel)
The only unpatched issues revolve around remote administration, which
should be avoided on ALL security appliances unless absolutely necessary.
No matter which appliance you end up with, be sure to disable remote
administration.
Zyxel
thanks for the suggestion.
Unfortunatly the rule is as mentionned: from LAN to WAn ! in addition
I have only one rule which goes from wan to lan.
This Zyxel thing seems to be really weak.
Regards
------------------
From :Arthur Hagen (a...@broomstick.com)
Subject:Re: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS
Are these rules for *incoming* or *outgoing*? I'm tempted to
believe that
you've listed the rules for "WAN to LAN", while the traffic in the log
is
for "LAN to WAN", and rule 3 is rule 3 in the other list.
A brick.
-----------------------------------------------------
From: Patth...@hotmail.com (Zyxel)
Newsgroups: comp.security.firewalls
Subject: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS
NNTP-Posting-Host: 81.251.196.116
Message-ID: <cbb9a93c.05011...@posting.google.com>
Owners of ZYXEL routers must be informaed that there are major
security breaches on the Zyxel routers The flaw exists whaever the
version of microcode. I am currently using ZyNOS F/W Version:
V3.40(IU.4) | 10/11/2004 &
DSL FW Version: Alcatel, Version 3.9.122
First security breach: there is an extrimelly easy way to reload a
malicious microcode into a ZYXEL router and restart it from remote,
without going through the router signon !
Second security breach: ZYXEL router lets packets go to ports
eventhough the firewall is supposed to block them ...
Look at the below example: firewall rule number 4 says that all ports
related to Emaule should be "BLOCKed". If one look at the log file
file, one can see that all packets going to the Emule ports are in
fact "Forwarded" !!!
FIREWALL RULE NUMBER 4:
4 Y Any Any *Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
Block No Enable No
LOG FILE:
85 01/15/2005 00:14:03 Firewall rule match: TCP (L to W, rule:3)
192.168.0.5:4485 82.252.31.196:4662 ACCESS FORWARD
86 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3702 172.211.50.125:4662 ACCESS FORWARD
87 01/15/2005 00:14:02 Firewall rule match: UDP (L to W, rule:3)
192.168.0.5:4672 220.134.119.98:4672 ACCESS FORWARD
88 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3738 172.211.164.152:4662 ACCESS FORWARD
89 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3737 83.154.109.41:4662 ACCESS
Third security breach: ZYXEL router doesn't apply the "Block" or
"forward" instruction provided to the proper firewall rule number. If
you look at the above LOG extract you may see that the firewall lets
the packets go out because the ports match the rule number 3. In fact
when you look at rule number 3 (see below) you can see that not of the
ports refered to in the log are belonging to this rule ! ... but to
rule number ....4 !!!
This means that you may believe that you closed the ports related to
port number 4 while in fact they are wide open because the system is
looking at rule number 3 which have absolutly nothing to do with it.
FIREWAL RULE NUMBER 3:
3 Y Any Any *CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:20500)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610)
Forward No Enable No
Amazing the way the ZYXEL routers "works".
Any owner of a ZYXEL router here ? ... Let me know your IP ... I'd
like to pursue some other funy tests ...
I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
Regards