Client Side Authorization ZyXEL ZyWALL USG Appliances Web Interface
Product: ZyXEL USG (Unified Security Gateway) appliances
Possibly other ZLD-based products
Affected Versions: Firmware Releases before April 25, 2011
Fixed Versions: Firmware Releases from or after April 25, 2011
Vulnerability Type: Client Side Authorization
Security Risk: medium
Vendor URL: http://www.zyxel.com/
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004
Advisory Status: published
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
``The ZyWALL USG (Unified Security Gateway) Series is the "third generation" ZyWALL featuring an all-new platform. It provides greater performance protection, as well as a deep packet inspection security solution for small businesses to enterprises alike. It embodies a Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN (IPSec/SSL/L2TP) in one box. This multilayered security safeguards your organization's customer and company records, intellectual property, and critical resources from external and internal threats.''
(From the vendor's homepage)
Proof of Concept
If possible, disable the web-based administrative interface or ensure otherwise that the interface is not exposed to attackers.
Upgrade to a firmware released on or after April 25, 2011.
This vulnerability enables users of the role "limited-admin" to access configuration files with potentially sensitive information (like the password hashes of all other users). The risk of this vulnerability is estimated as medium.
2011-03-07 Vulnerability identified
2011-04-06 Customer approved disclosure to vendor
2011-04-07 Vendor notified
2011-04-08 Meeting with vendor
2011-04-15 Vulnerability fixed by vendor
2011-04-18 Test appliance and beta firmware supplied to
RedTeam Pentesting, fix verified
2011-04-25 Vendor released new firmwares with fix
2011-04-29 Vendor confirms that other ZLD-based devices may also be
2011-05-04 Advisory released
RedTeam Pentesting likes to thank ZyXEL for the fast response and
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de.