CVE-2020-29583 – Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2020-29583
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. La versión de firmware 4.60 de los dispositivos Zyxel USG contiene una cuenta no documentada (zyfwp) con una contraseña que no puede ser cambiada. La contraseña para esta cuenta se puede encontrar en texto sin cifrar en el firmware. • http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15 https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583 https://www.zyxel.com/support/CVE- • CWE-522: Insufficiently Protected Credentials •
CVE-2020-9054 – Zyxel Multiple NAS Devices OS Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-9054
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. • https://github.com/darrenmartyn/CVE-2020-9054 https://cwe.mitre.org/data/definitions/78.html https://kb.cert.org/artifacts/cve-2020-9054.html https://kb.cert.org/vuls/id/498544 https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-12583
https://notcve.org/view.php?id=CVE-2019-12583
Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service. El control de acceso que falta en el componente "Tiempo libre" de varios dispositivos Zyxel UAG, USG y ZyWall permite que un atacante remoto genere cuentas de invitado al acceder directamente al generador de cuentas. Esto puede llevar a un acceso no autorizado a la red o a una denegación de servicio. • https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml • CWE-425: Direct Request ('Forced Browsing') •