[NEWS] Zyxel Prestige 681 and 1600 Remote DoS
From: support@securiteam.comDate: 12/20/01
- Previous message: support@securiteam.com: "[NT] FtpXQ Default Install Read/Write Capabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 20 Dec 2001 00:41:49 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Zyxel Prestige 681 and 1600 Remote DoS
------------------------------------------------------------------------
SUMMARY
Zyxel Prestige 681 SDSL router is vulnerable to remote denial of service
attack. By sending malformed packets, it is possible to bring down DSL
link for few minutes. The problem persists only if packets come from DSL
interface, not from Ethernet. ZyNOS reports that line is synchronizing and
it takes about 2-3 minutes before link is up.
DETAILS
First vulnerability:
P681/1600 SDSL module restarts when it receives IP packets with ip_len <
real packet size. Re-synchronizing of SDSL takes about 2-3 minutes.
How to recreate:
# iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y
Second vulnerability:
P681 (not tested on P1600) device crashes when it receives fragmented
packet that is longer than 64k after reassembly. This is an old attack
known as ping of death.
How to recreate:
# iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y
The IPTest is part of the IPFilter package that can be downloaded from:
<http://coombs.anu.edu.au/ipfilter/> http://coombs.anu.edu.au/ipfilter/
Details:
Both crashes can be triggered only when IP packet is targeted to Zyxel
router and comes from SDSL WAN interface. The device will not crash if it
works in bridging mode or if packets are only forwarded, not processed.
Workaround:
Put device in bridging mode or filter ALL incoming traffic. Packet filters
in ZyNOS WILL NOT prevent the attack; traffic must be blocked before it
reaches P681/P1600 device.
Vendor status:
The vendor has been contacted no response has been received.
ADDITIONAL INFORMATION
The information has been provided by <mailto:venglin@freebsd.lublin.pl>
Przemyslaw Frasunek.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] FtpXQ Default Install Read/Write Capabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
