CVE-2019-15802

moderate-risk

Published 2019-11-14

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware.

Do I need to act?

0.27% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (9)

Gs1900-8 Firmware

Gs1900-8Hp Firmware

Gs1900-10Hp Firmware

Gs1900-16 Firmware

Gs1900-24E Firmware

Gs1900-24 Firmware

Gs1900-24Hp Firmware

Gs1900-48 Firmware

Gs1900-48Hp Firmware

Affected Vendors

Zyxel

References (4)

Exploit https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

Vendor Advisory https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml

Exploit https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

Vendor Advisory https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 15/34 · Moderate