Zyxel
Guest
|
 Posted:
Sat Jan 15, 2005 1:10 pm Post subject:
WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS |
|
|
Arthur,
thanks for the suggestion.
Unfortunatly the rule is as mentionned: from LAN to WAn ! in addition
I have only one rule which goes from wan to lan.
This Zyxel thing seems to be really weak.
Regards
------------------
From :Arthur Hagen (art@broomstick.com)
Subject:Re: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS
Are these rules for *incoming* or *outgoing*? I'm tempted to
believe that
you've listed the rules for "WAN to LAN", while the traffic in the log
is
for "LAN to WAN", and rule 3 is rule 3 in the other list.
A brick.
-----------------------------------------------------
From: Patthecat74@hotmail.com (Zyxel)
Newsgroups: comp.security.firewalls
Subject: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS
NNTP-Posting-Host: 81.251.196.116
Message-ID: <cbb9a93c.0501141649.237b6f21@posting.google.com>
Owners of ZYXEL routers must be informaed that there are major
security breaches on the Zyxel routers The flaw exists whaever the
version of microcode. I am currently using ZyNOS F/W Version:
V3.40(IU.4) | 10/11/2004 &
DSL FW Version: Alcatel, Version 3.9.122
First security breach: there is an extrimelly easy way to reload a
malicious microcode into a ZYXEL router and restart it from remote,
without going through the router signon !
Second security breach: ZYXEL router lets packets go to ports
eventhough the firewall is supposed to block them ...
Look at the below example: firewall rule number 4 says that all ports
related to Emaule should be "BLOCKed". If one look at the log file
file, one can see that all packets going to the Emule ports are in
fact "Forwarded" !!!
FIREWALL RULE NUMBER 4:
4 Y Any Any *Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
Block No Enable No
LOG FILE:
85 01/15/2005 00:14:03 Firewall rule match: TCP (L to W, rule:3)
192.168.0.5:4485 82.252.31.196:4662 ACCESS FORWARD
86 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3702 172.211.50.125:4662 ACCESS FORWARD
87 01/15/2005 00:14:02 Firewall rule match: UDP (L to W, rule:3)
192.168.0.5:4672 220.134.119.98:4672 ACCESS FORWARD
88 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3738 172.211.164.152:4662 ACCESS FORWARD
89 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3737 83.154.109.41:4662 ACCESS
Third security breach: ZYXEL router doesn't apply the "Block" or
"forward" instruction provided to the proper firewall rule number. If
you look at the above LOG extract you may see that the firewall lets
the packets go out because the ports match the rule number 3. In fact
when you look at rule number 3 (see below) you can see that not of the
ports refered to in the log are belonging to this rule ! ... but to
rule number ....4 !!!
This means that you may believe that you closed the ports related to
port number 4 while in fact they are wide open because the system is
looking at rule number 3 which have absolutly nothing to do with it.
FIREWAL RULE NUMBER 3:
3 Y Any Any *CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:20500)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610)
Forward No Enable No
Amazing the way the ZYXEL routers "works".
Any owner of a ZYXEL router here ? ... Let me know your IP ... I'd
like to pursue some other funy tests ...
I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
Regards |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in