CVE-2019-15799

moderate-risk
Published 2019-11-14

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. User accounts created through the web interface of the device, when given non-admin level privileges, have the same level of privileged access as administrators when connecting to the device via SSH (while their permissions via the web interface are in fact restricted). This allows normal users to obtain the administrative password by running the tech-support command via the CLI: this contains the encrypted passwords for all users on the device. As these passwords are encrypted using well-known and static parameters, they can be decrypted and the original passwords (including the administrator password) can be obtained.

Do I need to act?

-
0.38% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (9)

Gs1900-8 Firmware
Gs1900-8Hp Firmware
Gs1900-16 Firmware
Gs1900-24E Firmware
Gs1900-24 Firmware
Gs1900-24Hp Firmware
Gs1900-48 Firmware
Gs1900-48Hp Firmware

Affected Vendors

Zyxel

References (6)

Exploit https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html
Exploit https://vimeo.com/354726424
Vendor Advisory https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml
Exploit https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html
Exploit https://vimeo.com/354726424
Vendor Advisory https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml
46
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 1/34 · Minimal
Exposure 15/34 · Moderate