Zyxelsecurity advisory for insufficient session expiration and cleartext storage of sensitive
CVEs: CVE-2021-35034, CVE-2021-35035
Summary
Zyxel has released a patch addressing insufficient session expiration and cleartext storage of sensitive information vulnerabilities in the NBG6604 home router. Users are advised to install it for optimal protection.
What are the vulnerabilities?
An insufficient session expiration vulnerability is present due to the CGI program lacking a proper session expiration mechanism.
A cleartext storage of sensitive information vulnerability is present due to the configuration file lacking a proper permission control mechanism.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period and released a firmware patch to address these issues, as shown in the table below.
Affected model |
Patch availability |
NBG6604 |
1.00(ABIR.9)C0 |
Got a question or a tipoff?
Please contact your local service rep or leave a comment here for further information or assistance.
Acknowledgment
Thanks to Liu Yan-Ting for reporting the issues to us.
Revision history
2021-12-30: Initial release
Comments
-
thanks0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 65 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight