Zyxel to issue fix for CERT VU#870744 Vulnerabilities


Recently found vulnerabilities identified in note VU#870744 from the CERT Vulnerability Notes Database reveal security issues affecting Zyxel products. Zyxel is aware of the vulnerabilities, which affect three products. Zyxel assures customers that the remaining Zyxel products currently on the market are not impacted. Solutions specific to each vulnerability are as follows:




Zyxel suggests users of all products change the default password upon initial log-in. This is critical to protecting your network by keeping any unauthorized users from gaining access via the default password. Zyxel has included reminders for this practice on a majority of products. Changing the default password upon initial log-in is mandatory for the Zyxel USG/ZyWALL, UAG, and LTE Series.



Model P660HW-T1 v2 (ZyNOS V3.40) was designated “end-of-life” on May 14, 2010. Zyxel assigns a product an “end-of-life” status when there is a clear indication that the market has transitioned to its replacement. This replacement generally offers advanced technology and/or better economics.

Zyxel recommends users replace P660HW-T1 v2 with newer generations of DSL CPEs that better suit the network environment today. Or alternatively, as a good general security practice, Zyxel suggests that users avoid visiting untrusted sites or clicking on unsolicited links. It is also recommended that users keep their browser, computer operating system, and security software current with the latest patches and updates.



This issue was patched via a firmware update in December 2014 [version v1.00(AANC.2)C0], which included feature enhancements, as well as bug and security fixes. Zyxel recommends users to obtain the latest update.


CVE-2015-6019 & CVE-2015-6020:

Zyxel has identified the root causes and will release a patch for PMG5318-20A in October 2015 to solve the session expiration and authorization issues.

Vulnerability Affected Model Status & Fix
CVE-2015-6016 P660HW-T1 v2 End-of-life
PMG5318-B20A Suggest users to change default password upon initial log-in
NBG-418N NBG334W
CVE-2015-6017 P660HW-T1 v2 End-of-life
CVE-2015-6018 PMG5318-B20A Issue already fixed in Dec. 2014 via firmware v1.00(AANC.2)C0
CVE-2015-6019 PMG5318-B20A Fix available in October 2015
CVE-2015-6020 PMG5318-B20A Fix available in October 2015

Please contact your local service or sales representative if you require any further assistance.