CVE-2019-15803

Published: Nov 14, 2019Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Through an undocumented sequence of keypresses, undocumented functionality is triggered. A diagnostics shell is triggered via CTRL-ALT-t, which prompts for the password returned by fds_sys_passDebugPasswd_ret(). The firmware contains access control checks that determine if remote users are allowed to access this functionality. The function that performs this check (fds_sys_remoteDebugEnable_ret in libfds.so) always return TRUE with no actual checks performed. The diagnostics menu allows for reading/writing arbitrary registers and various other configuration parameters which are believed to be related to the network interface chips.

Affected (9)

Products: Zyxel: Gs1900 8 Firmware, Gs1900 8hp Firmware, Gs1900 10hp Firmware, Gs1900 16 Firmware, Gs1900 24e Firmware, Gs1900 24 Firmware, Gs1900 24hp Firmware, Gs1900 48 Firmware, Gs1900 48hp Firmware

9 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 8 Firmware	Before 2.50\(aahh.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 8	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 8hp Firmware	Before 2.50\(aahi.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 8hp	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 10hp Firmware	Before 2.50\(aazi.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 10hp	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 16 Firmware	Before 2.50\(aahj.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 16	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24e Firmware	Before 2.50\(aahk.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24e	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24 Firmware	Before 2.50\(aahl.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24hp Firmware	Before 2.50\(aahm.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24hp	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 48 Firmware	Before 2.50\(aahn.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 48	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 48hp Firmware	Before 2.50\(aaho.0\)c0

Running on/with	Platform Versions
Zyxel Gs1900 48hp	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml

Source: cve@mitre.org

Vendor Advisory

https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.