Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple vulnerabilities
Informations
Name VU#939260 First vendor Publication 2014-04-11
Vendor VU-CERT Last vendor Modification 2014-04-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.9 Attack Range Adjacent network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 5.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#939260

ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple vulnerabilities

Original Release date: 11 Apr 2014 | Last revised: 16 Apr 2014

Overview

ZyXEL Wireless N300 NetUSB Router NBG-419N running firmware version 1.00(BFQ.6)C0, and possibly earlier versions, is susceptible to multiple vulnerabilities. Other device models that use similar firmware may also be vulnerable.

Description

ZyXEL Wireless N300 NetUSB Router NBG-419N running firmware version 1.00(BFQ.6)C0, and possibly earlier versions, has been reported to contain multiple vulnerabilities.

CWE-425: Direct Request - CVE-2014-0353
Authentication for content located in any subdirectory of the web root may be bypassed by escaping the "/" characters in the URL. For example, curl -v "http://<deviceip>/local%2Fadvance%2Fwlan.asp"

CWE-259: Use of Hard-coded Password - CVE-2014-0354
A hard-coded password of qweasdzxc may be used to login to the index.asp page.

CWE-121: Stack-based Buffer Overflow - CVE-2014-0355
The checkWeather function is vulnerable to a buffer overflow when parsing the forecastrss xml file provided from hxxp://weather.yahooapis.com/forecastrss. The vulnerability may be triggered with the following XML content: <yweather:condition  text="Partly Cloudy"  code="47"  temp="<overflow data goes here>". An attacker would need a man-in-the middle vantage point to exploit this vulnerability and the user would need to access index.asp in a web browser to trigger the download.

The detectWeather function is vulnerable to a buffer overflow of the WeatherCity and WeatherDegree variables.

The UpnpAddRunRLQoS(), UpnpDeleteRunRLQoS(), and UpnpDeletePortCheckType() functions are reported to be vulnerable to a buffer overflow vulnerability.

The udps command SET COUNTRY is reported to be vulnerable to command injection and a buffer overflow.

CWE-78: Improper Neutralization of Special Elements used in an OS Command - CVE-2014-0356
The detectWeather(), set_language(), SystemCommand(), and NTPSyncWithHost() functions in management.c are reported to be vulnerable to command injection.

The udps commands SET COUNTRY, SET WLAN SSID, SET WLAN CHANNEL, SET WLAN STATUS, SET WLAN COUNTRY are reported to be vulnerable to command injection. The udps process is only accessible from the LAN side.

The CVSS score below was calculated for CVE-2014-0356.

Impact

A remote unauthenticated attacker on the local area network may be able to inject arbitrary commands or run arbitrary code.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Restrict Access
As a general good security practice, only allow connections from trusted hosts and networks. Do not enable remote management of the device on the WAN interface.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ZyXELAffected23 Jan 201410 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.9AV:A/AC:M/Au:N/C:C/I:C/A:C
Temporal5.7E:U/RL:W/RC:UC
Environmental5.7CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://www.zyxel.com/
  • https://cwe.mitre.org/data/definitions/425.html
  • https://cwe.mitre.org/data/definitions/259.html
  • https://cwe.mitre.org/data/definitions/121.html
  • https://cwe.mitre.org/data/definitions/78.html

Credit

Thanks to the reporter who wishes to remain anonymous for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2014-0353CVE-2014-0354CVE-2014-0355CVE-2014-0356
  • Date Public:10 Mar 2014
  • Date First Published:11 Apr 2014
  • Date Last Updated:16 Apr 2014
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/939260

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-287 Improper Authentication
25 % CWE-255 Credentials Management
25 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
25 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-04-16 17:19:54
  • Multiple Updates
2014-04-16 13:27:44
  • Multiple Updates
2014-04-15 17:23:37
  • Multiple Updates
2014-04-11 21:20:19
  • First insertion