Zyxel Devices Vulnerable to Cross-Site Scripting on Login page

CVE - 2019 - 9955

A reflected Cross Scripting vulnerability, CVE-2019-9955, was identified on several Zyxel devices, specifically on pages that use the mp_idx parameter. The affected pages (listed later in this report) do not require authentication.

• ▶ Patch
  • ATP500: ftp://ftp.zyxel.com/ATP500/firmware/433ABFU0ITS-WK12-r87753.zip
  • USG40: ftp://ftp.zyxel.com/USG40/firmware/433AALA0ITS-WK12-r87753.zip
  • USG1900: ftp://ftp.zyxel.com/USG1900/firmware/433AAPL0ITS-WK12-r87753.zip
  • ZyWALL1100: ftp://ftp.zyxel.com/ZyWALL_1100/firmware/433AAAC0ITS-WK12-r87753.zip
  • ZyWALL310: ftp://ftp.zyxel.com/ZyWALL_310/firmware/433AAAB0ITS-WK12-r87753.zip
• ▶ Timeline
  • 06 Feb 2019 - Issue discovered on USG40 and disclosed to Zyxel
  • 24 Feb 2019 - Issue confirmed by Zyxel, initial hotfix released
  • 01 Apr 2019 - Additional vulnerable devices identified and report to Zyxel
  • 10 Apr 2019 - Additional patches available
  • 15 Apr 2019 - Public Disclosure
• ▶ Description

The issue was identified during a network layer penetration test performed by SecurityMetrics, Inc.. During

this assessment, several Zyxel devices appeared on the customer's port scan. Log in pages (similar to the screenshot shown below) were accessible.

Zyxel documentation was used to determine valid parameters (including web_portal_html_guide.pdf [ftp://ftp.zyxel.it/guide/hotspot/uag2100_4100_5100_web_portal_html_guide.pdf], as shown below ).

A request such as:

Specifies an mp_idx parameter which is included unsanitized in the page:

▶ Affected Pages and Devices

Additional devices and pages may also be vulnerable, however, this issue was identified during a black-box test; credentials were not provided, pages requiring authentication were not tested, additional devices were not available for testing.