Multiple vulnerabilities in Zyxel WiFi products



Published: 2021-05-17 | Updated: 2021-08-03
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-24586
CVE-2020-24587
CVE-2020-24588
CWE-ID CWE-20
CWE-451
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		WAH7706
Hardware solutions / Routers for home users

LTE4506-M606
Hardware solutions / Routers for home users

XMG8825-B50A
Hardware solutions / Routers for home users

XMG3927-B50A
Hardware solutions / Routers for home users

VMG8825-T50K
Hardware solutions / Routers for home users

VMG8825-Bx0B
Hardware solutions / Routers for home users

VMG8825-B50A_B60A
Hardware solutions / Routers for home users

VMG8623-T50B
Hardware solutions / Routers for home users

VMG3927-T50K
Hardware solutions / Routers for home users

VMG3927-B50B
Hardware solutions / Routers for home users

VMG3927-B50A_B60A
Hardware solutions / Routers for home users

VMG3625-T50B
Hardware solutions / Routers for home users

VMG1312-T20B
Hardware solutions / Routers for home users

EX5510-B0
Hardware solutions / Routers for home users

EMG6726-B10A
Hardware solutions / Routers for home users

EMG5723-T50K
Hardware solutions / Routers for home users

EMG5523-T50B
Hardware solutions / Routers for home users

EMG3525-T50B
Hardware solutions / Routers for home users

EX3510-B0
Hardware solutions / Routers for home users

VMG4927-B50A
Hardware solutions / Routers for home users

USG60W
Hardware solutions / Firmware

USG40W
Hardware solutions / Firmware

WX3310-B0
Hardware solutions / Firmware

WRE6605
Hardware solutions / Firmware

WRE6602
Hardware solutions / Firmware

WRE6505 v2
Hardware solutions / Firmware

WRE2206
Hardware solutions / Firmware

WAP6806
Hardware solutions / Firmware

WAP6804
Hardware solutions / Firmware

WAP3205 v3
Hardware solutions / Firmware

NWD6605
Hardware solutions / Firmware

NWD6602
Hardware solutions / Firmware

NWD6505
Hardware solutions / Firmware

NBG7815 (Armor G5)
Hardware solutions / Firmware

NBG6818 (Armor G1)
Hardware solutions / Firmware

NBG6817 (Armor Z2)
Hardware solutions / Firmware

NBG6615
Hardware solutions / Firmware

NBG6604
Hardware solutions / Firmware

NBG6515
Hardware solutions / Firmware

NBG-418N v2
Hardware solutions / Firmware

WSR30 (Multy U)
Hardware solutions / Firmware

WSQ60 (Multy Plus)
Hardware solutions / Firmware

WSQ50 (Multy X)
Hardware solutions / Firmware

WSQ20 (Multy Mini)
Hardware solutions / Firmware

AX7501-B0
Hardware solutions / Firmware

WAH7608
Hardware solutions / Firmware

WAH7601
Hardware solutions / Firmware

LTE5388-M804
Hardware solutions / Firmware

LTE5366
Hardware solutions / Firmware

LTE3316-M604(v2)
Hardware solutions / Firmware

LTE3316-M604(v1)
Hardware solutions / Firmware

LTE3302-M432
Hardware solutions / Firmware

LTE3301-PLUS
Hardware solutions / Firmware

LTE3301-M209
Hardware solutions / Firmware

LTE3202-M437
Hardware solutions / Firmware

LTE3202-M430
Hardware solutions / Firmware

LTE2566
Hardware solutions / Firmware

PMG5705-T10A
Hardware solutions / Firmware

P-660HN-51
Hardware solutions / Firmware

EMG3425-Q10A
Hardware solutions / Firmware

USG20W-VPN
Hardware solutions / Firmware

USG FLEX 100W
Hardware solutions / Firmware

ATP100W
Hardware solutions / Firmware

WAX650S
Hardware solutions / Firmware

WAX610D
Hardware solutions / Firmware

WAX510D
Hardware solutions / Firmware

WAC6553D-E
Hardware solutions / Firmware

WAC6552D-S
Hardware solutions / Firmware

WAC6503D-S
Hardware solutions / Firmware

WAC6502D-S
Hardware solutions / Firmware

WAC6502D-E
Hardware solutions / Firmware

WAC6103D-I
Hardware solutions / Firmware

WAC500H
Hardware solutions / Firmware

WAC500
Hardware solutions / Firmware

NWA5123-AC
Hardware solutions / Firmware

NWA210AX
Hardware solutions / Firmware

NWA1302-AC
Hardware solutions / Firmware

NWA1123ACv3
Hardware solutions / Firmware

NWA1123-ACv2
Hardware solutions / Firmware

NWA1123AC PRO
Hardware solutions / Firmware

NWA110AX
Hardware solutions / Firmware

NR7101
Hardware solutions / Firmware

NR5101
Hardware solutions / Firmware

NR2101
Hardware solutions / Firmware

LTE7490-M904
Hardware solutions / Firmware

LTE7485-S905
Hardware solutions / Firmware

LTE7480-S905
Hardware solutions / Firmware

LTE7480-M804
Hardware solutions / Firmware

LTE7461-M602
Hardware solutions / Firmware

LTE7240-M403
Hardware solutions / Firmware

LTE5388-S905
Hardware solutions / Firmware

PMG5622GA
Hardware solutions / Firmware

PMG5617GA
Hardware solutions / Firmware

PMG5317-T20B
Hardware solutions / Firmware

VMG9827-B50A
Hardware solutions / Firmware

EX5501-B0
Hardware solutions / Firmware

EMG8726-B50A
Hardware solutions / Firmware

EMG1702-T10A
Hardware solutions / Firmware

DX4510-B0
Hardware solutions / Firmware

EMG3524-T10A
Hardware solutions / Firmware

WAC6303D-S
Hardware solutions / Firmware

WAC5302D-Sv2
Hardware solutions / Firmware

WAC5302D-S
Hardware solutions / Firmware

NWA5123-AC HD
Hardware solutions / Firmware

NWA1123-AC HD
Hardware solutions / Firmware

Vendor ZyXEL Communications Corp.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU53154

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-24586

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the 802.11 standard due to the affected device does not clear its cache/memory to remove fragments of an incomplete MSDU/MMPDU from previous session after reconnection/reassociation. A remote attacker on the local network can perform a fragment cache attack and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WAH7706: All versions

LTE4506-M606: All versions

USG60W: All versions

USG40W: All versions

WX3310-B0: before 1.00(ABSF.2)C0

WRE6605: All versions

WRE6602: All versions

WRE6505 v2: All versions

WRE2206: All versions

WAP6806: All versions

WAP6804: All versions

WAP3205 v3: All versions

NWD6605: All versions

NWD6602: All versions

NWD6505: All versions

NBG7815 (Armor G5): All versions

NBG6818 (Armor G1): All versions

NBG6817 (Armor Z2): All versions

NBG6615: All versions

NBG6604: All versions

NBG6515: All versions

NBG-418N v2: All versions

WSR30 (Multy U): All versions

WSQ60 (Multy Plus): All versions

WSQ50 (Multy X): All versions

WSQ20 (Multy Mini): All versions

AX7501-B0: All versions

WAH7608: All versions

WAH7601: All versions

LTE5388-M804: All versions

LTE5366: All versions

LTE3316-M604(v2): All versions

LTE3316-M604(v1): All versions

LTE3302-M432: All versions

LTE3301-PLUS: All versions

LTE3301-M209: All versions

LTE3202-M437: All versions

LTE3202-M430: All versions

LTE2566: All versions

PMG5705-T10A: All versions

P-660HN-51: All versions

EMG3425-Q10A: All versions

USG20W-VPN: All versions

USG FLEX 100W: All versions

ATP100W: All versions

WAX650S: All versions

WAX610D: All versions

WAX510D: All versions

WAC6553D-E: All versions

WAC6552D-S: All versions

WAC6503D-S: All versions

WAC6502D-S: All versions

WAC6502D-E: All versions

WAC6103D-I: All versions

WAC500H: All versions

WAC500: All versions

NWA5123-AC: All versions

NWA210AX: All versions

NWA1302-AC: All versions

NWA1123ACv3: All versions

NWA1123-ACv2: All versions

NWA1123AC PRO: All versions

NWA110AX: All versions

NR7101: before 1.00(ABUV.4)C0

NR5101: before 1.00(ABVC.3)C0

NR2101: before 1.00(ABUS.5)C0

LTE7490-M904: before 1.00(ABQY.3)C0

LTE7485-S905: before 1.00(ABVN.5)C0

LTE7480-S905: before 2.00(ABQT.5)C0

LTE7480-M804: before 1.00(ABRA.3)C0

LTE7461-M602: before 2.00(ABQN.4)C0

LTE7240-M403: before 2.00(ABMG.4)C0

LTE5388-S905: before 1.00(ABVI.5)C0

PMG5622GA: before 5.40(ABNB.2)

PMG5617GA: before 5.40(ABNA.2)

PMG5317-T20B: before 5.40(ABKI.4)

XMG8825-B50A: before 5.17(ABMT.6)C0

XMG3927-B50A: before 5.17(ABMT.6)C0

VMG9827-B50A: before 5.13(ABLY.6)C0

VMG8825-T50K: before 5.50(ABOM.7)C0

VMG8825-Bx0B: before 5.17(ABNY.7)C0

VMG8825-B50A_B60A: before 5.17(ABMT.6)C0

VMG8623-T50B: before 5.50(ABPM.6)C0

VMG3927-T50K: before 5.50(ABOM.7)C0

VMG3927-B50B: before 5.13(ABLY.6)C0

VMG3927-B50A_B60A: before 5.17(ABMT.6)C0

VMG3625-T50B: before 5.50(ABPM.6)C0

VMG1312-T20B: before 5.50(ABSB.5)C0

EX5510-B0: before 5.15(ABQX.5)C0

EX5501-B0: before 5.17(ABRY.2)C0

EMG8726-B50A: before 5.13(ABNP.6)C0

EMG6726-B10A: before 5.13(ABNP.6)C0

EMG5723-T50K: before 5.50(ABOM.7)C0

EMG5523-T50B: before 5.50(ABSL.0)C0

EMG1702-T10A: before 1.00(ABNZ.1)C0

DX4510-B0: before 5.17(ABYL.0)C0

EMG3525-T50B: before 5.50(ABSL.0)C0

EMG3524-T10A: before 5.41(ABXU.1)C0

WAC6303D-S: before 6.25(ABGL.0)

WAC5302D-Sv2: before 6.25(ABVZ.0)

WAC5302D-S: before 6.25(ABFH.8)

NWA5123-AC HD: before 6.25(ABIM.0)

NWA1123-AC HD: before 6.25(ABIN.0)

EX3510-B0: before V5.17(ABUP.3)C0

VMG4927-B50A: before V5.13(ABLY.6)C0

External links

http://www.zyxel.com/support/Zyxel_security_advisory_for_FragAttacks_against_WiFi_products.shtml


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU53096

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-24587

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows Wireless Networking. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WAH7706: All versions

LTE4506-M606: All versions

USG60W: All versions

USG40W: All versions

WX3310-B0: before 1.00(ABSF.2)C0

WRE6605: All versions

WRE6602: All versions

WRE6505 v2: All versions

WRE2206: All versions

WAP6806: All versions

WAP6804: All versions

WAP3205 v3: All versions

NWD6605: All versions

NWD6602: All versions

NWD6505: All versions

NBG7815 (Armor G5): All versions

NBG6818 (Armor G1): All versions

NBG6817 (Armor Z2): All versions

NBG6615: All versions

NBG6604: All versions

NBG6515: All versions

NBG-418N v2: All versions

WSR30 (Multy U): All versions

WSQ60 (Multy Plus): All versions

WSQ50 (Multy X): All versions

WSQ20 (Multy Mini): All versions

AX7501-B0: All versions

WAH7608: All versions

WAH7601: All versions

LTE5388-M804: All versions

LTE5366: All versions

LTE3316-M604(v2): All versions

LTE3316-M604(v1): All versions

LTE3302-M432: All versions

LTE3301-PLUS: All versions

LTE3301-M209: All versions

LTE3202-M437: All versions

LTE3202-M430: All versions

LTE2566: All versions

PMG5705-T10A: All versions

P-660HN-51: All versions

EMG3425-Q10A: All versions

USG20W-VPN: All versions

USG FLEX 100W: All versions

ATP100W: All versions

WAX650S: All versions

WAX610D: All versions

WAX510D: All versions

WAC6553D-E: All versions

WAC6552D-S: All versions

WAC6503D-S: All versions

WAC6502D-S: All versions

WAC6502D-E: All versions

WAC6103D-I: All versions

WAC500H: All versions

WAC500: All versions

NWA5123-AC: All versions

NWA210AX: All versions

NWA1302-AC: All versions

NWA1123ACv3: All versions

NWA1123-ACv2: All versions

NWA1123AC PRO: All versions

NWA110AX: All versions

NR7101: before 1.00(ABUV.4)C0

NR5101: before 1.00(ABVC.3)C0

NR2101: before 1.00(ABUS.5)C0

LTE7490-M904: before 1.00(ABQY.3)C0

LTE7485-S905: before 1.00(ABVN.5)C0

LTE7480-S905: before 2.00(ABQT.5)C0

LTE7480-M804: before 1.00(ABRA.3)C0

LTE7461-M602: before 2.00(ABQN.4)C0

LTE7240-M403: before 2.00(ABMG.4)C0

LTE5388-S905: before 1.00(ABVI.5)C0

PMG5622GA: before 5.40(ABNB.2)

PMG5617GA: before 5.40(ABNA.2)

PMG5317-T20B: before 5.40(ABKI.4)

XMG8825-B50A: before 5.17(ABMT.6)C0

XMG3927-B50A: before 5.17(ABMT.6)C0

VMG9827-B50A: before 5.13(ABLY.6)C0

VMG8825-T50K: before 5.50(ABOM.7)C0

VMG8825-Bx0B: before 5.17(ABNY.7)C0

VMG8825-B50A_B60A: before 5.17(ABMT.6)C0

VMG8623-T50B: before 5.50(ABPM.6)C0

VMG3927-T50K: before 5.50(ABOM.7)C0

VMG3927-B50B: before 5.13(ABLY.6)C0

VMG3927-B50A_B60A: before 5.17(ABMT.6)C0

VMG3625-T50B: before 5.50(ABPM.6)C0

VMG1312-T20B: before 5.50(ABSB.5)C0

EX5510-B0: before 5.15(ABQX.5)C0

EX5501-B0: before 5.17(ABRY.2)C0

EMG8726-B50A: before 5.13(ABNP.6)C0

EMG6726-B10A: before 5.13(ABNP.6)C0

EMG5723-T50K: before 5.50(ABOM.7)C0

EMG5523-T50B: before 5.50(ABSL.0)C0

EMG1702-T10A: before 1.00(ABNZ.1)C0

DX4510-B0: before 5.17(ABYL.0)C0

EMG3525-T50B: before 5.50(ABSL.0)C0

EMG3524-T10A: before 5.41(ABXU.1)C0

WAC6303D-S: before 6.25(ABGL.0)

WAC5302D-Sv2: before 6.25(ABVZ.0)

WAC5302D-S: before 6.25(ABFH.8)

NWA5123-AC HD: before 6.25(ABIM.0)

NWA1123-AC HD: before 6.25(ABIN.0)

EX3510-B0: before V5.17(ABUP.3)C0

VMG4927-B50A: before V5.13(ABLY.6)C0

External links

http://www.zyxel.com/support/Zyxel_security_advisory_for_FragAttacks_against_WiFi_products.shtml


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Spoofing attack

EUVDB-ID: #VU53098

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-24588

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data in Windows Wireless Networking. A remote attacker on the local network can spoof page content.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WAH7706: All versions

LTE4506-M606: All versions

USG60W: All versions

USG40W: All versions

WX3310-B0: before 1.00(ABSF.2)C0

WRE6605: All versions

WRE6602: All versions

WRE6505 v2: All versions

WRE2206: All versions

WAP6806: All versions

WAP6804: All versions

WAP3205 v3: All versions

NWD6605: All versions

NWD6602: All versions

NWD6505: All versions

NBG7815 (Armor G5): All versions

NBG6818 (Armor G1): All versions

NBG6817 (Armor Z2): All versions

NBG6615: All versions

NBG6604: All versions

NBG6515: All versions

NBG-418N v2: All versions

WSR30 (Multy U): All versions

WSQ60 (Multy Plus): All versions

WSQ50 (Multy X): All versions

WSQ20 (Multy Mini): All versions

AX7501-B0: All versions

WAH7608: All versions

WAH7601: All versions

LTE5388-M804: All versions

LTE5366: All versions

LTE3316-M604(v2): All versions

LTE3316-M604(v1): All versions

LTE3302-M432: All versions

LTE3301-PLUS: All versions

LTE3301-M209: All versions

LTE3202-M437: All versions

LTE3202-M430: All versions

LTE2566: All versions

PMG5705-T10A: All versions

P-660HN-51: All versions

EMG3425-Q10A: All versions

USG20W-VPN: All versions

USG FLEX 100W: All versions

ATP100W: All versions

WAX650S: All versions

WAX610D: All versions

WAX510D: All versions

WAC6553D-E: All versions

WAC6552D-S: All versions

WAC6503D-S: All versions

WAC6502D-S: All versions

WAC6502D-E: All versions

WAC6103D-I: All versions

WAC500H: All versions

WAC500: All versions

NWA5123-AC: All versions

NWA210AX: All versions

NWA1302-AC: All versions

NWA1123ACv3: All versions

NWA1123-ACv2: All versions

NWA1123AC PRO: All versions

NWA110AX: All versions

NR7101: before 1.00(ABUV.4)C0

NR5101: before 1.00(ABVC.3)C0

NR2101: before 1.00(ABUS.5)C0

LTE7490-M904: before 1.00(ABQY.3)C0

LTE7485-S905: before 1.00(ABVN.5)C0

LTE7480-S905: before 2.00(ABQT.5)C0

LTE7480-M804: before 1.00(ABRA.3)C0

LTE7461-M602: before 2.00(ABQN.4)C0

LTE7240-M403: before 2.00(ABMG.4)C0

LTE5388-S905: before 1.00(ABVI.5)C0

PMG5622GA: before 5.40(ABNB.2)

PMG5617GA: before 5.40(ABNA.2)

PMG5317-T20B: before 5.40(ABKI.4)

XMG8825-B50A: before 5.17(ABMT.6)C0

XMG3927-B50A: before 5.17(ABMT.6)C0

VMG9827-B50A: before 5.13(ABLY.6)C0

VMG8825-T50K: before 5.50(ABOM.7)C0

VMG8825-Bx0B: before 5.17(ABNY.7)C0

VMG8825-B50A_B60A: before 5.17(ABMT.6)C0

VMG8623-T50B: before 5.50(ABPM.6)C0

VMG3927-T50K: before 5.50(ABOM.7)C0

VMG3927-B50B: before 5.13(ABLY.6)C0

VMG3927-B50A_B60A: before 5.17(ABMT.6)C0

VMG3625-T50B: before 5.50(ABPM.6)C0

VMG1312-T20B: before 5.50(ABSB.5)C0

EX5510-B0: before 5.15(ABQX.5)C0

EX5501-B0: before 5.17(ABRY.2)C0

EMG8726-B50A: before 5.13(ABNP.6)C0

EMG6726-B10A: before 5.13(ABNP.6)C0

EMG5723-T50K: before 5.50(ABOM.7)C0

EMG5523-T50B: before 5.50(ABSL.0)C0

EMG1702-T10A: before 1.00(ABNZ.1)C0

DX4510-B0: before 5.17(ABYL.0)C0

EMG3525-T50B: before 5.50(ABSL.0)C0

EMG3524-T10A: before 5.41(ABXU.1)C0

WAC6303D-S: before 6.25(ABGL.0)

WAC5302D-Sv2: before 6.25(ABVZ.0)

WAC5302D-S: before 6.25(ABFH.8)

NWA5123-AC HD: before 6.25(ABIM.0)

NWA1123-AC HD: before 6.25(ABIN.0)

EX3510-B0: before V5.17(ABUP.3)C0

VMG4927-B50A: before V5.13(ABLY.6)C0

External links

http://www.zyxel.com/support/Zyxel_security_advisory_for_FragAttacks_against_WiFi_products.shtml


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###