Zyxelsecurity advisory for insufficient session expiration and cleartext storage of sensitive

TARA
TARA Posts: 89  Ally Member
First Comment Friend Collector Fourth Anniversary
edited December 2021 in Security Advisories

CVEs: CVE-2021-35034, CVE-2021-35035


Summary

Zyxel has released a patch addressing insufficient session expiration and cleartext storage of sensitive information vulnerabilities in the NBG6604 home router. Users are advised to install it for optimal protection.


What are the vulnerabilities?

CVE-2021-35034

An insufficient session expiration vulnerability is present due to the CGI program lacking a proper session expiration mechanism.

CVE-2021-35035

A cleartext storage of sensitive information vulnerability is present due to the configuration file lacking a proper permission control mechanism.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period and released a firmware patch to address these issues, as shown in the table below.


Affected model

Patch availability

NBG6604

1.00(ABIR.9)C0


Got a question or a tipoff?

Please contact your local service rep or leave a comment here for further information or assistance.


Acknowledgment

Thanks to Liu Yan-Ting for reporting the issues to us.


Revision history

2021-12-30: Initial release



Comments