CVE-2024-38270

Published: Sep 10, 2024Modified: Sep 18, 2024

6.5

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.

Affected (10)

Products: Zyxel: Gs1900 48hpv2 Firmware, Gs1900 48 Firmware, Gs1900 24hpv2 Firmware, Gs1900 24ep Firmware, Gs1900 24e Firmware, Gs1900 24 Firmware, Gs1900 16 Firmware, Gs1900 10hp Firmware, Gs1900 8hp Firmware, Gs1900 8 Firmware

Zyxel

10 products

Gs1900 48hpv2 Firmware

Gs1900 48 Firmware

Gs1900 24hpv2 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 48hpv2 Firmware	Before 2.80\(abtq.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 48hpv2	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 48 Firmware	Before 2.80\(aahn.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 48	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24hpv2 Firmware	Before 2.80\(abtp.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24hpv2	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24ep Firmware	Before 2.80\(abto.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24ep	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24e Firmware	Up to 2.80\(aahk.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24e	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 24 Firmware	Up to 2.80\(aahl.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 24	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 16 Firmware	Before 2.80\(aahj.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 16	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 10hp Firmware	Before 2.80\(aazi.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 10hp	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 8hp Firmware	Before 2.80\(aahi.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 8hp	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Gs1900 8 Firmware	Before 2.80\(aahh.1\)c0

Running on/with	Platform Versions
Zyxel Gs1900 8	All versions

Related CWEs

CWE-331

Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References (1)

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024

Source: security@zyxel.com.tw

Vendor Advisory

Timeline

No history available yet.