Improper Authorization in NBG7510

#VU70458 Improper Authorization in NBG7510

Published: 2022-12-21

Vulnerability identifier: #VU70458

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-38546

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NBG7510
Hardware solutions / Routers for home users

Vendor:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a DNS misconfiguration. A remote non-authenticated attacker can perform DNS-related attacks, such as DNS tunneling or DNS amplification attacks, by using the open DNS resolver when the device is switched to the AP mode.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-dns-misconfiguration-in-nbg7510-home-router

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

DNS misconfiguration in Zyxel NBG7510 home router