Security Advisory posts: some thing that could be improved by my point of view.

mMontana
mMontana Posts: 1,300  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
First of all, thanks for keep listening to the security experts providing Zyxel info about vulnerabilities.
But the way of info is published keeps lacking of simplicity, clarity, useability.

1: the advisory (link here) do not provide the list of the devices affected. The list is available in a separate page (link here).
2: the product list page, which is another page reporting vulnerability, do not provide direct access to the patches (see point 3).
3: except for two out of thirty six devices/versions involved into this advisory (first released should be remarked) the solution is either not available (scheduled september 2022 the fartest one, seven months) or available if ready only  via "Please reach out to your local Zyxel support team for the file."

It's Saturday 19, 11:00 AM CET. If I'm not entitled to a support plan, i cannot access to the files.
Which maybe could be posted into the product page as download option.
Or into the Product management page if the device require registration for update (as VPN2S).
Or into the FTP server. Oh... sorry.. i forgot. The one zyxel closed no matter what even if it was really useful for access the whole path of upgrade for firmwares.

So. This advisory says...

<p>There are eight vulnerabilities, identified as follows.</p><ol><li>Multiple buffer overflow vulnerabilities were discovered in the web server of the affected devices.</li><li>The CGI program lacks a proper permission control mechanism, which could allow an attacker to read sensitive files on the devices.</li><li>Insufficiently protected credentials in the configuration file of the devices could allow an attacker to retrieve the passwords.</li><li>Command injection vulnerabilities were found in the diagnostic tool and the certificate upload interface of the devices.</li><li>Access control vulnerabilities in the devices could allow a less privileged user to access functionality of a more privileged role.</li><li>The improper symbolic links processing vulnerability in the FTP server could allow an attacker to get read access to the root file system.</li><li>A security flaw was found in API of the devices that could be abused without authentication in order to obtain a new session key.</li><li>A cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the devices.</li></ol>
Which seems to me... quite big problems for devices like CPE and/or firewalls and/or pubilicy reachable devices.
So.
I should wait monday for update them, because zyxel did not published the patches for the retail products?
Because for VPN2S, latest firmware is dated October 2020, into support page.
https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-02863&md=VPN2S
Same version, november 2020 reported into portal.zyxel.com.

A now sad Zyxel customer and tech.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,063  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
     
    Thanks for your feedback and reminder, please refer to the link to download VPN2S firmware(V1.20(ABLN.2)_00210319C1) that had fixed vulnerabilities. BTW, we will enhance the firmware release method to let our customers easier to download the firmware in the future.

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @mMontana,Thanks for paying attention to our advisories and we really appreciate your feedback. To your suggestions:We put the affected devices on a separate page only when the list runs long, so that the page layout will be shorter and easier to scroll and read. In most cases, descriptions and lists are just put on the same page. The example you mentioned happens to be one of the rare exceptions.Firmware marked with an asterisk are usually for products that are designed for ISPs. Providing firmware downloads directly on the advisory might cause end-users/subscribers to install firmware inappropropriate for their devices. So we recommend users to reach out to support team who will help them to identify the right route to do so.Refer to 2, in CPE part, since one model may have multiple firmware versions (retail version/ISP version)  once we received the request from customers, we will evaluate which version they are and deliver the firmware in different way

    Regarding VPN2S, since it is retail product and you're right that it should better to put the direct download link. We will add it back soon. 
  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Putting the device list in a separate page demand to everyone would like to know if its/its competence devices into the necessity to change the page and re-read most the things into the security bullettin/advisor.So, if anyone is concerned about the vulnerability, it's only a bit of time wasted if the device is involved.
    But for anyone else who's not managing an affected device, the time wasted increase.
    A recent bullettin of VMWare is way longer than your security advisor, so writing all things that matters in ONE place is indeed faster than create more pages. During the WPA bug correction release firmware the pages to read were three (still waiting for an updated firmware for NWA 5123 and NWA 1123 v2, FYI)

    Moreover, if readability is one key point for the layout, the current community layout wastes almost 30% of width with... nothing, after the "featurette" section to the right. This on a 1600 pixels width layout, which is not the highest resolution into market for mobile and/or computer monitor.
    Nice pages and polished design make faster and nicer the use of the platform, but if information is lacking the goal of communication fails.

Security Highlight