An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Through an undocumented sequence of keypresses, undocumented functionality is triggered. A diagnostics shell is triggered via CTRL-ALT-t, which prompts for the password returned by fds_sys_passDebugPasswd_ret(). The firmware contains access control checks that determine if remote users are allowed to access this functionality. The function that performs this check (fds_sys_remoteDebugEnable_ret in libfds.so) always return TRUE with no actual checks performed. The diagnostics menu allows for reading/writing arbitrary registers and various other configuration parameters which are believed to be related to the network interface chips.
2019-11-14T21:15:11.890
2024-11-21T04:29:29.943
Modified
CVSSv3.1: 9.1 (CRITICAL)
AV:N/AC:L/Au:N/C:P/I:P/A:N
10.0
4.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | zyxel | gs1900-8_firmware | < 2.50\(aahh.0\)c0 | Yes |
| Hardware | zyxel | gs1900-8 | - | No |
| Operating System | zyxel | gs1900-8hp_firmware | < 2.50\(aahi.0\)c0 | Yes |
| Hardware | zyxel | gs1900-8hp | - | No |
| Operating System | zyxel | gs1900-10hp_firmware | < 2.50\(aazi.0\)c0 | Yes |
| Hardware | zyxel | gs1900-10hp | - | No |
| Operating System | zyxel | gs1900-16_firmware | < 2.50\(aahj.0\)c0 | Yes |
| Hardware | zyxel | gs1900-16 | - | No |
| Operating System | zyxel | gs1900-24e_firmware | < 2.50\(aahk.0\)c0 | Yes |
| Hardware | zyxel | gs1900-24e | - | No |
| Operating System | zyxel | gs1900-24_firmware | < 2.50\(aahl.0\)c0 | Yes |
| Hardware | zyxel | gs1900-24 | - | No |
| Operating System | zyxel | gs1900-24hp_firmware | < 2.50\(aahm.0\)c0 | Yes |
| Hardware | zyxel | gs1900-24hp | - | No |
| Operating System | zyxel | gs1900-48_firmware | < 2.50\(aahn.0\)c0 | Yes |
| Hardware | zyxel | gs1900-48 | - | No |
| Operating System | zyxel | gs1900-48hp_firmware | < 2.50\(aaho.0\)c0 | Yes |
| Hardware | zyxel | gs1900-48hp | - | No |