Re: ZyXEL Prestige Router Remote Node Filtering Vulnerability still present

[Daniel Roethlisberger <daniel () roe ch>]

Bernardo Pons <master () atlas-iap es> wrote:
> bugtraq id 3162: "When more than one remote node filtering rule is
> applied, the first filtering rule is the only one that takes effect."

> Although bugtraq id 3162 reports that ZyXel released a firmware update
> 2.50(AL.1) to fix this vulnerability for the Prestige 642 routers it
> seems this bug is still present in new firmware versions.

To the best of my knowledge, BID 3162 is not accurate. I was not even
aware of that BID until now. It seems that SecurityFocus staff do not
always read BugTraq as thoroughly as they should :->

As Peter Gutmann first pointed out in the discussion about BID 3161 in
[1], it is not a flaw in the firmware, but simply a misconfiguration of
the filter rules you chain together. The preconfigured rules are _not_
configured to be chained together. This flaw can be considered to
consist of both a not too bright default configuration, and a somewhat
misleading filtering concept which is underdocumented. But it is not a
bug in the firmware.


> This configuration has been tested and still has the bug.

Are you definately, positively sure that you did configure the filter
rules to chain correctly? Only the last one may allow a packet, all
previous filter rules must pass packets on to the next rule (or drop
them, of course). If the first rule allows a packet through, the second
rule never gets to see the packet.


> --
> Bernardo Pons

BTW, your sig-dashes seem to be missing the required trailing space.


Cheers,
Dan

[1] http://online.securityfocus.com/archive/1/203313


-- 
Daniel Roethlisberger <daniel () roe ch>