| Author |
Message |
Zyxel
Guest
|
 Posted:
Sat Jan 15, 2005 5:49 am Post subject:
WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTERS |
|
|
Owners of ZYXEL routers must be informaed that there are major
security breaches on the Zyxel routers The flaw exists whaever the
version of microcode. I am currently using ZyNOS F/W Version:
V3.40(IU.4) | 10/11/2004 &
DSL FW Version: Alcatel, Version 3.9.122
First security breach: there is an extrimelly easy way to reload a
malicious microcode into a ZYXEL router and restart it from remote,
without going through the router signon !
Second security breach: ZYXEL router lets packets go to ports
eventhough the firewall is supposed to block them ...
Look at the below example: firewall rule number 4 says that all ports
related to Emaule should be "BLOCKed". If one look at the log file
file, one can see that all packets going to the Emule ports are in
fact "Forwarded" !!!
FIREWALL RULE NUMBER 4:
4 Y Any Any *Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
Block No Enable No
LOG FILE:
85 01/15/2005 00:14:03 Firewall rule match: TCP (L to W, rule:3)
192.168.0.5:4485 82.252.31.196:4662 ACCESS FORWARD
86 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3702 172.211.50.125:4662 ACCESS FORWARD
87 01/15/2005 00:14:02 Firewall rule match: UDP (L to W, rule:3)
192.168.0.5:4672 220.134.119.98:4672 ACCESS FORWARD
88 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3738 172.211.164.152:4662 ACCESS FORWARD
89 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3737 83.154.109.41:4662 ACCESS
Third security breach: ZYXEL router doesn't apply the "Block" or
"forward" instruction provided to the proper firewall rule number. If
you look at the above LOG extract you may see that the firewall lets
the packets go out because the ports match the rule number 3. In fact
when you look at rule number 3 (see below) you can see that not of the
ports refered to in the log are belonging to this rule ! ... but to
rule number ....4 !!!
This means that you may believe that you closed the ports related to
port number 4 while in fact they are wide open because the system is
looking at rule number 3 which have absolutly nothing to do with it.
FIREWAL RULE NUMBER 3:
3 Y Any Any *CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:20500)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610)
Forward No Enable No
Amazing the way the ZYXEL routers "works".
Any owner of a ZYXEL router here ? ... Let me know your IP ... I'd
like to pursue some other funy tests ...
I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
Regards |
|
| Back to top |
|
 |
Leythos
Guest
|
| Posted:
Sat Jan 15, 2005 5:54 am Post subject:
Re: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTER |
|
|
In article <cbb9a93c.0501141649.237b6f21@posting.google.com>,
Patthecat74@hotmail.com says...
| Quote: | I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
|
WatchGuard Firebox III or X, even the SOHO units for home are nice.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Duane Arnold
Guest
|
| Posted:
Sat Jan 15, 2005 6:14 am Post subject:
Re: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTER |
|
|
Patthecat74@hotmail.com (Zyxel) wrote in
news:cbb9a93c.0501141649.237b6f21@posting.google.com:
| Quote: | Owners of ZYXEL routers must be informaed that there are major
security breaches on the Zyxel routers The flaw exists whaever the
version of microcode. I am currently using ZyNOS F/W Version:
V3.40(IU.4) | 10/11/2004 &
DSL FW Version: Alcatel, Version 3.9.122
First security breach: there is an extrimelly easy way to reload a
malicious microcode into a ZYXEL router and restart it from remote,
without going through the router signon !
Second security breach: ZYXEL router lets packets go to ports
eventhough the firewall is supposed to block them ...
Look at the below example: firewall rule number 4 says that all ports
related to Emaule should be "BLOCKed". If one look at the log file
file, one can see that all packets going to the Emule ports are in
fact "Forwarded" !!!
FIREWALL RULE NUMBER 4:
4 Y Any Any
*Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
Block No Enable No
LOG FILE:
85 01/15/2005 00:14:03 Firewall rule match: TCP (L to W, rule:3)
192.168.0.5:4485 82.252.31.196:4662 ACCESS FORWARD
86 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3702 172.211.50.125:4662 ACCESS FORWARD
87 01/15/2005 00:14:02 Firewall rule match: UDP (L to W, rule:3)
192.168.0.5:4672 220.134.119.98:4672 ACCESS FORWARD
88 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3738 172.211.164.152:4662 ACCESS FORWARD
89 01/15/2005 00:14:02 Firewall rule match: TCP (L to W, rule:3)
192.168.0.2:3737 83.154.109.41:4662 ACCESS
Third security breach: ZYXEL router doesn't apply the "Block" or
"forward" instruction provided to the proper firewall rule number. If
you look at the above LOG extract you may see that the firewall lets
the packets go out because the ports match the rule number 3. In fact
when you look at rule number 3 (see below) you can see that not of the
ports refered to in the log are belonging to this rule ! ... but to
rule number ....4 !!!
This means that you may believe that you closed the ports related to
port number 4 while in fact they are wide open because the system is
looking at rule number 3 which have absolutly nothing to do with it.
FIREWAL RULE NUMBER 3:
3 Y Any Any
*CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:
20500)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610) Forward No
Enable No
Amazing the way the ZYXEL routers "works".
Any owner of a ZYXEL router here ? ... Let me know your IP ... I'd
like to pursue some other funy tests ...
I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
Regards
|
You can also look at the Hotbrick SOHO series as well. I think I am going
to get the 401W and configure it to be a wire/wireless switch AP and plug
it into the WG.
Duane :) |
|
| Back to top |
|
|
Arthur Hagen
Guest
|
| Posted:
Sat Jan 15, 2005 6:31 am Post subject:
Re: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTER |
|
|
Zyxel <Patthecat74@hotmail.com> wrote:
| Quote: | Look at the below example: firewall rule number 4 says that all ports
related to Emaule should be "BLOCKed". If one look at the log file
file, one can see that all packets going to the Emule ports are in
fact "Forwarded" !!!
FIREWALL RULE NUMBER 4:
4 Y Any Any
*Emule4(UDP:4672)*Emule3(UDP:4665)*Emule2(TCP:4662)*Emule1(TCP:4661)
Block No Enable No
[chop]
FIREWAL RULE NUMBER 3:
3 Y Any Any
*CallOfDuty5(TCP/UDP:20600)*CallOfDuty1(TCP/UDP:28960)*CallOfDuty2(UDP:20500 |
)*CallOfDuty3(UDP:20510)*CallOfDuty4(TCP/UDP:20610)
| Quote: | Forward No Enable No
|
Are these rules for *incoming* or *outgoing*? I'm tempted to believe that
you've listed the rules for "WAN to LAN", while the traffic in the log is
for "LAN to WAN", and rule 3 is rule 3 in the other list.
| Quote: | I will bring my ZYXEL router back tomorrow and buy something else. Any
one has a recommendation ? something "solid" please ;-))
|
A brick.
--
*Art |
|
| Back to top |
|
|
Mungo
Guest
|
| Posted:
Sat Jan 15, 2005 11:06 am Post subject:
Re: WARNING ! MAJOR SECURITY BREACH ON ZYXEL ROUTER |
|
|
Patthecat74@hotmail.com (Zyxel) wrote in
news:cbb9a93c.0501141649.237b6f21@posting.google.com:
| Quote: | Owners of ZYXEL routers must be informaed that there are major
security breaches on the Zyxel routers The flaw exists whaever the
|
Strange. We test our various remote Zyxels periodically and have never seen
a security problem ( however, the earlier ones were very susceptible to DoS
caused by adjacent unshielded radio transmitters ). Zyxel received the ISCA
Cert 3 back in 2002 if I remember correctly.
Unfortunately, they don't come with the best of configuration instructions.
In fact, I don't remember them coming with ANY really coherent
instructions. It sounds like either you have configured it wrong or you
could have a defective unit.
There is a list of all the known issues with the Zyxel products at:
http://www.securityfocus.com/bid (search vendor Zyxel)
The only unpatched issues revolve around remote administration, which
should be avoided on ALL security appliances unless absolutely necessary.
No matter which appliance you end up with, be sure to disable remote
administration. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in