Researchers at SEC Consult have identified a number of vulnerabilities in various devices of the major network equipment manufacturer Zyxel. Vulnerabilities related to sending unauthenticated DNS queries and embedded FTP credentials.
The first vulnerability affects USG, UAG, ATP, VPN and NXC series network security devices and is associated with information disclosure through unauthenticated DNS queries.Exploitation of the vulnerability allows an unauthorized user to check for a domain through a web-based interface.
“Using a DNS query, an unauthorized attacker can send a lot of queries from a fake source to a third-party DNS service or check for domain names on an internal network protected by a firewall”, – noted the researchers.
Researchers also found the presence of embedded FTP credentials at several NWA, NAP, and WAC Wi-Fi access points.
Read also: Foxit Software Alerts Users About Compromise
Using this data, the attacker can log in to the FTP server and obtain a configuration file containing the SSID and passwords that allow access to secure networks.
“The FTP service runs on the Zyxel Wireless Access Point, which contains the configuration file for the Wi-Fi network. This FTP server can be accessed using the credentials built into the firmware of the access point. When connecting to a Wi-Fi network to another VLAN, an attacker can move across the network by stealing credentials from an FTP server”, – the researchers noted.
In late August, Zyxel released firmware updates that address vulnerabilities, as well as temporary patches for some devices. For them, updates will be available in few months.