It seems that some ZyXEL regional offices have reacted and reworked the configuration of all P642R firmware releases. Their fixed firmware is available at ftp://ftp.europe.zyxel.com/ . Unfortunately, there seems to be a bit of a release managment problem within ZyXEL; the fixed firmware is some releases older than the latest firmware available from the Swiss ZyXEL distributor, Studerus AG, at http://www.zyxel.ch/ . This also confirms that the firmware that was fixed after Sean Boran reported this issue to ZyXEL Switzerland in June/July was only available within Switzerland, and not elsewhere. Here's the details: ftp.europe.zyxel.com www.zyxel.ch R-11 v2.50(AJ.2)r2 09/01/2000 v2.50(AJ.4)C0 07/03/2001 RI-13 v2.50(AL.0)r2 08/08/2000 v2.50(AL.2)b2 05/22/2001 R-61 v2.50(AN.1)r2 02/02/2001 - The dates are the release dates of the -firmware- as stated in the release notes, not the last change of the default config rom. The following is forwarded with the express permission of Manfred Recla at ZyXEL Austria <mrat_private> Cheers, Dan BTW: I keep a list of relevant URL's on this issue up to date at http://www.roe.ch/bugtraq/3161/ [this is a forwarded message] From: ZyXEL.AT, Manfred Recla <mrat_private> To: danielat_private <danielat_private> Date: Tuesday, August 14, 2001, 3:10:55 PM Subject: Fw: ZyXEL Prestige 642 Router Administration Interface Vulnerability --- begin of original message --- ----- Original Message ----- From: "ZyXEL.AT, Manfred Recla" <mrat_private> To: "Jimmy Jensen" <jjat_private>; <fchangat_private> Cc: <chfanat_private>; <mtsengat_private>; "ZASTECH" <zastechat_private>; "FAE @ ZyXEL Europe" <faeat_private> Sent: Tuesday, August 14, 2001 3:10 PM Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability ooops, I found one minor bug in my filter "plug-in" settings in menu 11.5, if the device filter set #4 (PPPoE) is set, then no normal PPPoA traffic can work. So I removed that #4 from menu 11.5 now again and uploaded for all three models P641R11, P642R13 and P642R61 the revision "r2" to our FTP server. best regards, Manfred Recla (ZyXEL Austria - Technical Support) ********************************************************** ZyXEL Communications Services GmbH. Thaliastrasse 125a/2/2/4 A-1160 Vienna, AUSTRIA Tel: +43-1-4948677-0, Fax: +43-1-4948678 Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif eMail: supportat_private ********************************************************** ----- Original Message ----- From: "ZyXEL.AT, Manfred Recla" <mrat_private> To: "Jimmy Jensen" <jjat_private>; <fchangat_private> Cc: <chfanat_private>; <mtsengat_private>; "ZASTECH" <zastechat_private>; "FAE @ ZyXEL Europe" <faeat_private> Sent: Tuesday, August 14, 2001 2:15 PM Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability Dear all, I reworked the default config files for the routers and uploaded the files to our FTP server now. P642R-11 ..... v2.50(AJ.2)r1 P642R-13 ..... v2.50(AL.0)r1 P642R-61 ..... v2.50(AN.1)r1 the added extension "r1" means "revision 1" (or also "recla 1"). I modified and added the filters in menu 21 and inserted them to 3.1 and 11.5 and I slightly modified the autoexec.net as described below. In menu 21 I defined following filter sets: ------------------------------------------- #1) NetBIOS_LAN #2) NetBIOS_WAN #3) TEL_FTP_WEB_WAN #4) PPPoE #5) SNMP_WAN In menu 3.1) "General Ethernet Setup" -------------------------------------- Input Filter Sets: protocol filters= 2 device filters= Output Filter Sets: protocol filters= device filters= In menu 11.5) "Remote Node Filter" ------------------------------------ Input Filter Sets: protocol filters= 5, 3 device filters= 4 Output Filter Sets: protocol filters= 1 device filters= sys edit autoexec.net --------------------- sys errctl 0 sys trcl level 5 sys trcl type 1180 sys trcp cr 64 96 sys trcl sw off <<<- modified from "on" to "off" sys trcp sw off <<<- modified from "on" to "off" ip tcp mss 512 ip tcp limit 2 ip tcp irtt 65000 ip tcp window 2 ip tcp ceiling 6000 ip rip activate ip rip merge on ip icmp discovery enif0 off sys wd sw off <<--- added this line ppp ipcp compress off <<--- added this line EOF best regards, Manfred Recla (ZyXEL Austria - Technical Support) ********************************************************** ZyXEL Communications Services GmbH. Thaliastrasse 125a/2/2/4 A-1160 Vienna, AUSTRIA Tel: +43-1-4948677-0, Fax: +43-1-4948678 Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif eMail: supportat_private ********************************************************** ----- Original Message ----- From: "Jimmy Jensen" <jjat_private> To: <fchangat_private> Cc: <chfanat_private>; <mtsengat_private>; <mrat_private>; "ZASTECH" <zastechat_private> Sent: Monday, August 13, 2001 5:20 PM Subject: ZyXEL Prestige 642 Router Administration Interface Vulnerability FYI, The following is taken from http://www.securityfocus.com It describes a vulnerability because of missing filters in P642R. I checked the new beta and saw that now these filters are applied by default. Good! But what about the many customers who already bought P642R ? (See the PASSWORDS section) of the report. ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password [ my original BugTraq posting here... ] -- Daniel Roethlisberger <danielat_private> PGP Key ID 0x8DE543ED with fingerprint 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED With kind regards - Med venlig hilsen Jimmy Jensen - ZyXEL Communication A/S Columbusvej 5, DK - 2860 Søborg Phone (+45) 39550700 - Fax (+45) 39550707 Support Phone (+45) 39550785 Did you check http://www.zyxel.dk today? --- end of original message --- -- Daniel Roethlisberger <danielat_private> PGP Key ID 0x8DE543ED with fingerprint 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 10:41:45 PDT