CVE-2014-0356

Name of the Vulnerable Software and Affected Versions ZyXEL Wireless N300 NetUSB NBG-419N router version 1.00(BFQ.6)C0

Description The issue allows remote attackers to execute arbitrary code via shell metacharacters in input to certain functions or commands. Specifically, the affected functions include detectWeather, set language, SystemCommand, and NTPSyncWithHost in management.c, as well as udps commands such as SET COUNTRY, SET WLAN SSID, SET WLAN CHANNEL, SET WLAN STATUS, and SET WLAN COUNTRY.

Recommendations For ZyXEL Wireless N300 NetUSB NBG-419N router version 1.00(BFQ.6)C0, consider disabling the detectWeather, set language, SystemCommand, and NTPSyncWithHost functions in management.c, as well as restricting access to the udps commands SET COUNTRY, SET WLAN SSID, SET WLAN CHANNEL, SET WLAN STATUS, and SET WLAN COUNTRY to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.