Published: 14/11/2019 Updated: 22/11/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

An issue exists on Zyxel GS1900 devices with firmware prior to 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zyxel gs1900-8_firmware
zyxel gs1900-8hp_firmware
zyxel gs1900-10hp_firmware
zyxel gs1900-16_firmware
zyxel gs1900-24e_firmware
zyxel gs1900-24_firmware
zyxel gs1900-24hp_firmware
zyxel gs1900-48_firmware
zyxel gs1900-48hp_firmware

CVE-2019-15802 decrypter The Zyxel firmware for the GS1900 switches, at least version 240(AAHH2)C0, contains a hardcoded parameters which are used for AES256-CBC encryption an decryption of passwords These parameters (IV, salt and password) are fixed for all devices running the firmware salt[] = "1A3BB2F78D6EC7D8"; iv[32] = "2268BA68768B58C3687D4F205923A741&q

CWE-798 https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html https://nvd.nist.gov https://github.com/jasperla/CVE-2019-15802

CVE-2019-15802

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect