Fwd: ZyXEL Prestige 642 Router Administration Interface Vulnerability

[Daniel Roethlisberger <daniel () roe ch>]

It seems that some ZyXEL regional offices have reacted and
reworked the configuration of all P642R firmware releases. Their
fixed firmware is available at ftp://ftp.europe.zyxel.com/ .

Unfortunately, there seems to be a bit of a release managment
problem within ZyXEL; the fixed firmware is some releases older
than the latest firmware available from the Swiss ZyXEL
distributor, Studerus AG, at http://www.zyxel.ch/ .

This also confirms that the firmware that was fixed after Sean
Boran reported this issue to ZyXEL Switzerland in June/July was
only available within Switzerland, and not elsewhere.

Here's the details:

        ftp.europe.zyxel.com        www.zyxel.ch
R-11    v2.50(AJ.2)r2 09/01/2000    v2.50(AJ.4)C0 07/03/2001
RI-13   v2.50(AL.0)r2 08/08/2000    v2.50(AL.2)b2 05/22/2001
R-61    v2.50(AN.1)r2 02/02/2001    -

The dates are the release dates of the -firmware- as stated in the
release notes, not the last change of the default config rom.

The following is forwarded with the express permission of
Manfred Recla at ZyXEL Austria <mr () zyxel at>

Cheers,
Dan

BTW: I keep a list of relevant URL's on this issue up to date at
     http://www.roe.ch/bugtraq/3161/


[this is a forwarded message]
From: ZyXEL.AT, Manfred Recla <mr () zyxel at>
To: daniel () roe ch <daniel () roe ch>
Date: Tuesday, August 14, 2001, 3:10:55 PM
Subject: Fw: ZyXEL Prestige 642 Router Administration Interface Vulnerability

--- begin of original message ---

----- Original Message -----
From: "ZyXEL.AT, Manfred Recla" <mr () zyxel at>
To: "Jimmy Jensen" <jj () zyxel dk>; <fchang () zyxel com tw>
Cc: <chfan () zyxel com tw>; <mtseng () zyxel com tw>; "ZASTECH" <zastech () zyxel dk>; "FAE @ ZyXEL Europe" <fae () 
europe zyxel com>
Sent: Tuesday, August 14, 2001 3:10 PM
Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability



ooops,
I found one minor bug in my filter "plug-in" settings in menu 11.5,
if the device filter set #4 (PPPoE) is set, then no normal PPPoA
traffic can work. So I removed that #4 from menu 11.5 now again
and uploaded for all three models P641R11, P642R13 and P642R61
the revision "r2" to our FTP server.


best regards,
Manfred Recla (ZyXEL Austria - Technical Support)
**********************************************************
  ZyXEL Communications Services GmbH.
  Thaliastrasse 125a/2/2/4
  A-1160 Vienna, AUSTRIA
  Tel:     +43-1-4948677-0, Fax: +43-1-4948678
  Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif
  eMail:   support () zyxel at
**********************************************************



----- Original Message -----
From: "ZyXEL.AT, Manfred Recla" <mr () zyxel at>
To: "Jimmy Jensen" <jj () zyxel dk>; <fchang () zyxel com tw>
Cc: <chfan () zyxel com tw>; <mtseng () zyxel com tw>; "ZASTECH" <zastech () zyxel dk>; "FAE @ ZyXEL Europe" <fae () 
europe zyxel com>
Sent: Tuesday, August 14, 2001 2:15 PM
Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability



Dear all,

I reworked the default config files for the routers and uploaded
the files to our FTP server now.

P642R-11 ..... v2.50(AJ.2)r1
P642R-13 ..... v2.50(AL.0)r1
P642R-61 ..... v2.50(AN.1)r1

the added extension "r1" means "revision 1" (or also "recla 1").


I modified and added the filters in menu 21 and inserted them to 3.1
and 11.5 and I slightly modified the autoexec.net as described below.


In menu 21 I defined following filter sets:
-------------------------------------------
#1) NetBIOS_LAN
#2) NetBIOS_WAN
#3) TEL_FTP_WEB_WAN
#4) PPPoE
#5) SNMP_WAN

In menu 3.1) "General Ethernet Setup"
--------------------------------------
   Input Filter Sets:
     protocol filters= 2
     device filters=
   Output Filter Sets:
     protocol filters=
     device filters=


In menu 11.5)  "Remote Node Filter"
------------------------------------
   Input Filter Sets:
     protocol filters= 5, 3
     device filters= 4
   Output Filter Sets:
     protocol filters= 1
     device filters=

sys edit autoexec.net
---------------------
sys errctl 0
sys trcl level 5
sys trcl type 1180
sys trcp cr 64 96
sys trcl sw off      <<<- modified from "on" to "off"
sys trcp sw off      <<<- modified from "on" to "off"
ip tcp mss 512
ip tcp limit 2
ip tcp irtt 65000
ip tcp window 2
ip tcp ceiling 6000
ip rip activate
ip rip merge on
ip icmp discovery enif0 off
sys wd sw off            <<--- added this line
ppp ipcp compress off    <<--- added this line
EOF


best regards,
Manfred Recla (ZyXEL Austria - Technical Support)
**********************************************************
  ZyXEL Communications Services GmbH.
  Thaliastrasse 125a/2/2/4
  A-1160 Vienna, AUSTRIA
  Tel:     +43-1-4948677-0, Fax: +43-1-4948678
  Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif
  eMail:   support () zyxel at
**********************************************************


----- Original Message -----
From: "Jimmy Jensen" <jj () zyxel dk>
To: <fchang () zyxel com tw>
Cc: <chfan () zyxel com tw>; <mtseng () zyxel com tw>; <mr () zyxel at>; "ZASTECH" <zastech () zyxel dk>
Sent: Monday, August 13, 2001 5:20 PM
Subject: ZyXEL Prestige 642 Router Administration Interface Vulnerability


FYI,

The following is taken from http://www.securityfocus.com
It describes a vulnerability because of missing filters in P642R.
I checked the new beta and saw that now these filters are applied by
default. Good!
But what about the many customers who already bought P642R ?
(See the PASSWORDS section) of the report.



ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password

[ my original BugTraq posting here... ]

--
   Daniel Roethlisberger <daniel () roe ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED

With kind regards - Med venlig hilsen

Jimmy Jensen - ZyXEL Communication A/S
Columbusvej 5, DK - 2860 Søborg
Phone (+45) 39550700 - Fax (+45) 39550707
Support Phone (+45) 39550785
Did you check http://www.zyxel.dk today?

---  end of original message  ---


-- 
   Daniel Roethlisberger <daniel () roe ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED