CVE: CVE-2019-12581, CVE-2019-12583
Zyxel security firewalls and hotspot gateways that support the Free Time WiFi hotspot feature are susceptible to a cross-site scripting and a security misconfiguration vulnerability. Users are advised to install the applicable hotfixes for optimal protection.
What is the vulnerability?
A reflected cross-site scripting vulnerability had previously been identified in the "free_time_failed.cgi" program in specific security firewalls and hotspot gateways equipped with hotspot functionality. The vulnerability could allow an attacker to obtain browser cookies of the hotspot guest user account without authentication.
A security misconfiguration vulnerability, recently found in the "free_time.cgi" program, could allow an attacker to generate guest accounts even if the Free Time feature is disabled.
It is important to note that the hotspot guest user account is solely designed to provide hotspot guest users with temporary internet access on certain select web pages. It is the least-privileged account of the affected devices, and the hotspot user group is entirely independent and isolated from the device administrative user group in our design. By default, our firewall policy would block hotspot users from accessing the device's administrative interface. This means even if the vulnerability is exploited, the attacker will not be able to remotely access or change the administrative settings of the device.
What should you do?
After a thorough investigation, we've identified the vulnerable products, as listed in the table below. Hotfixes are now available for those devices, and we will include patches in their next regular firmware release. We urge users to install them for optimal protection.
|Device affected||Hotfix availability||Standard availability|
|USG110||ZLD4.35 in Oct. 2019|
|USG210||ZLD4.35 in Oct. 2019|
|USG310||ZLD4.35 in Oct. 2019|
|USG1100||ZLD4.35 in Oct. 2019|
|USG1900||ZLD4.35 in Oct. 2019|
|USG2200-VPN||ZLD4.35 in Oct. 2019|
|ZyWALL 110||ZLD4.35 in Oct. 2019|
|ZyWALL 310||ZLD4.35 in Oct. 2019|
|ZyWALL 1100||ZLD4.35 in Oct. 2019|
|VPN100||SD-OS v10.02 patch 1 in Jun. 2019|
|VPN300||SD-OS v10.02 patch 1 in Jun. 2019|
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact firstname.lastname@example.org and we’ll get right back to you.
2018-04-17: Initial release
2019-06-27: Added the security misconfiguration vulnerability details and updated the list of affected models