Some Zyxel devices can be hacked via DNS requests

Experts at SEC Consult discovered several security issues in various Zyxel devices that allow to hack them via unauthenticated DNS requests.

Security researchers at SEC Consult discovered multiple vulnerabilities in various Zyxel devices, including hardcoded credentials and issues that could allow to hack them via unauthenticated DNS requests.

The first issue is an information disclosure flaw via unauthenticated external DNS requests that affect Zyxel devices from the USG, UAG, ATP, VPN and NXC series.

An unauthenticated attacker could exploit the flaw to check whether a domain is present or not via the web login interface. The response will include the IP address of the host if the corresponding domain is present.

“A DNS request can be made by an unauthenticated attacker to either spam a DNS service of a third party with requests that have a spoofed origin or probe whether domain names are present on the internal network behind the firewall,” reads the advisory published by the experts.

SEC Consult researchers also published the PoC code for the vulnerability.

The experts also discovered hardcoded FTP credentials in multiple Zyxel Wi-Fi access points from the NWA, NAP and WAC series.

An attacker could use these credentials to log on to the APs FTP server and steal the configuration file that includes SSIDs and passwords.

“An FTP service runs on the Zyxel wireless access point that contains the configuration file for the WiFi network. This FTP server can be accessed with hardcoded credentials that are embedded in the firmware of the AP. When the WiFi network is bound to another VLAN, an attacker can cross the network by fetching the credentials from the FTP server.” reads the advisory.

Sec Consult experts published the PoC code also for this vulnerability.

The researchers reported the issue to Zyxel at the end of June, the vendor released hotfixes and firmware updates at the end of August.

Zyxel customers have to install the patches and firmware updates released by the vendor for their devices.

Additional technical details, including the lists of the affected devices, are available in the SEC Consult’s advisories.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Zyxel, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.