Your browser either does not support JavaScript or you have turned JavaScript off.

Zyxel security advisory for vulnerabilities related to the Free Time feature

CVE: CVE-2019-12581, CVE-2019-12583


Summary

Zyxel security firewalls and hotspot gateways that support the Free Time WiFi hotspot feature are susceptible to a cross-site scripting and a security misconfiguration vulnerability. Users are advised to install the applicable hotfixes for optimal protection.


What is the vulnerability?

A reflected cross-site scripting vulnerability had previously been identified in the "free_time_failed.cgi" program in specific security firewalls and hotspot gateways equipped with hotspot functionality. The vulnerability could allow an attacker to obtain browser cookies of the hotspot guest user account without authentication.

A security misconfiguration vulnerability, recently found in the "free_time.cgi" program, could allow an attacker to generate guest accounts even if the Free Time feature is disabled.

It is important to note that the hotspot guest user account is solely designed to provide hotspot guest users with temporary internet access on certain select web pages. It is the least-privileged account of the affected devices, and the hotspot user group is entirely independent and isolated from the device administrative user group in our design. By default, our firewall policy would block hotspot users from accessing the device's administrative interface. This means even if the vulnerability is exploited, the attacker will not be able to remotely access or change the administrative settings of the device.


What should you do?

We’ve identified the vulnerable products, as listed in the table below and will release hotfix or standard patch firmware to fix the issue. We urge users to install them for optimal protection.


Device affected Hotfix availability Standard availability
UAG2100 ZLD4.18 Wk46 by Nov. 22, 2019 N/A
UAG4100 ZLD4.18 Wk46 by Nov. 22, 2019 N/A
UAG5100 ZLD4.18 Wk46 by Nov. 22, 2019 N/A
USG60/USG60W N/A ZLD4.35 Patch 2 in Dec. 2019
USG110 N/A ZLD4.35 Patch 2 in Dec. 2019
USG210 N/A ZLD4.35 Patch 2 in Dec. 2019
USG310 N/A ZLD4.35 Patch 2 in Dec. 2019
USG1100 N/A ZLD4.35 Patch 2 in Dec. 2019
USG1900 N/A ZLD4.35 Patch 2 in Dec. 2019
USG2200/USG2200-VPN N/A ZLD4.35 Patch 2 in Dec. 2019
ZyWALL 110 N/A ZLD4.35 Patch 2 in Dec. 2019
ZyWALL 310 N/A ZLD4.35 Patch 2 in Dec. 2019
ZyWALL 1100 N/A ZLD4.35 Patch 2 in Dec. 2019
VPN50 N/A ZLD4.35C0 in Jan. 2020
VPN100 N/A ZLD4.35C0 in Jan. 2020
VPN300 N/A ZLD4.35C0 in Jan. 2020

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.


Acknowledgement


Revision history

2018-04-17: Initial release

2019-06-27: Added the security misconfiguration vulnerability details and updated the list of affected models

2019-11-04: Modified the firmware release schedule due to a bug in the previous patch firmware