4.3
CVSSv2

CVE-2019-15802

Published: 14/11/2019 Updated: 22/11/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

An issue exists on Zyxel GS1900 devices with firmware prior to 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zyxel gs1900-8_firmware

zyxel gs1900-8hp_firmware

zyxel gs1900-10hp_firmware

zyxel gs1900-16_firmware

zyxel gs1900-24e_firmware

zyxel gs1900-24_firmware

zyxel gs1900-24hp_firmware

zyxel gs1900-48_firmware

zyxel gs1900-48hp_firmware

Github Repositories

CVE-2019-15802 decrypter The Zyxel firmware for the GS1900 switches, at least version 240(AAHH2)C0, contains a hardcoded parameters which are used for AES256-CBC encryption an decryption of passwords These parameters (IV, salt and password) are fixed for all devices running the firmware salt[] = "1A3BB2F78D6EC7D8"; iv[32] = "2268BA68768B58C3687D4F205923A741&q

CVE-2019-15802 decrypter The Zyxel firmware for the GS1900 switches, at least version 240(AAHH2)C0, contains a hardcoded parameters which are used for AES256-CBC encryption an decryption of passwords These parameters (IV, salt and password) are fixed for all devices running the firmware salt[] = "1A3BB2F78D6EC7D8"; iv[32] = "2268BA68768B58C3687D4F205923A741&q

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android