Jasper Lievisse Adriaanse

**Name of the Vulnerable Software and Affected Versions** Cisco Business 220 Series Smart Switches (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the firmware of Cisco Business 220 Series Smart Switches. These vulnerabilities could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. The vulnerability is associated with a lack of protection for service data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Business 220 Series Smart Switches (affected versions not specified) **Description** The issue is related to a lack of protection for service data in the firmware of Cisco Small Business 220 Series Smart Switches. An attacker with Administrator privileges could exploit this to access sensitive login credentials or reconfigure passwords on user accounts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Small Business 220 Series Smart Switches (affected versions not specified) Description: The web-based management interface of the affected switches has multiple issues that could allow an attacker to hijack a user session, execute arbitrary commands as a root user on the underlying operating system, conduct a cross-site scripting (XSS) attack, or conduct an HTML injection attack. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business 220 Series Smart Switches (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in the web-based management interface, potentially allowing an attacker to hijack a user session, execute arbitrary commands as a root user, conduct cross-site scripting (XSS) attacks, or perform HTML injection attacks. The vulnerability is also related to an incorrect session expiration time, which could enable a remote attacker to bypass authentication, gain unauthorized access to the device's web interface, and perform actions with administrator privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business 220 Series Smart Switches (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the web-based management interface, which could allow an attacker to hijack a user session, execute arbitrary commands as a root user on the underlying operating system, conduct a cross-site scripting (XSS) attack, or conduct an HTML injection attack. The vulnerability is also associated with a lack of protection for the web page structure, which could enable a remote attacker to perform cross-site scripting attacks using a specially crafted malicious link. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0 **Description** The issue is related to insufficient protection of registration data in the functions `fds sys passDebugPasswd ret()` and `fds sys passRecoveryPasswd ret()` of the `libfds.so.0.0` library in Zyxel GS1900 series router firmware. This can allow a remote attacker to elevate their privileges. The firmware image contains encrypted passwords used for authentication to access diagnostics or password-recovery menus, which can be decrypted using a hardcoded cryptographic key found in the firmware. **Recommendations** For Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting access to the diagnostics and password-recovery menus to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0 **Description** The issue exists due to the hardcoding of registration data in the `sal util str encrypt()` function of the Zyxel GS1900 series router firmware. This allows a remote attacker to potentially disclose protected information. The firmware uses a hardcoded cryptographic key to hash and encrypt passwords, utilizing the `sal util str encrypt()` function in `libsal.so.0.0`. The parameters, including `salt`, `IV`, and `key` data, are used for AES256 encryption in CBC mode. With these parameters known, an attacker can decrypt all previously encrypted passwords, including those in configuration backups or embedded in the firmware. **Recommendations** For Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting access to configuration backups and embedded firmware components that may contain encrypted passwords. Avoid using the `sal util str encrypt()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 devices with firmware prior to 2.50(AAHH.0)C0 **Description** An issue exists due to insufficient input validation in the Password Recovery component of Zyxel GS1900 series routers. This issue can be triggered by sending a specific signal to the CLI process, such as the SIGQUIT signal, which can be sent through CTRL+ via SSH, allowing access to an undocumented menu. The menu contains "Password recovery for specific user" options, although access control checks are in place to prohibit accessing this menu. The issue may also be accessible using a serial console. Exploitation of this issue could allow a remote attacker to impact the integrity of protected information. **Recommendations** For Zyxel GS1900 devices with firmware prior to 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting access to the CLI application and the Password Recovery menu to minimize the risk of exploitation. Avoid using the SIGQUIT signal to the CLI application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0 **Description** An issue allows user accounts with non-admin level privileges to have the same level of privileged access as administrators when connecting to the device via SSH. This enables normal users to obtain the administrative password by running the `tech-support` command via the CLI, which contains the encrypted passwords for all users on the device. These passwords can be decrypted as they are encrypted using well-known and static parameters, allowing the original passwords, including the administrator password, to be obtained. **Recommendations** For Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting SSH access to only administrative accounts until the firmware can be updated.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 devices with firmware prior to 2.50(AAHH.0)C0 **Description** An issue was discovered in Zyxel GS1900 devices, where an undocumented sequence of keypresses triggers undocumented functionality. This includes access to a diagnostics shell via `CTRL-ALT-t`, which prompts for a password returned by the `fds sys passDebugPasswd ret()` function. The firmware contains access control checks, but the function `fds sys remoteDebugEnable ret` in `libfds.so` always returns `TRUE` without performing actual checks. This allows for reading and writing arbitrary registers and configuration parameters related to network interface chips. The vulnerability in the `fds sys passDebugPasswd ret()` function of the `libfds.so` library is due to insufficient input validation, which can be exploited by a remote attacker to elevate privileges. **Recommendations** For Zyxel GS1900 devices with firmware prior to 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting access to the diagnostics menu and the `fds sys passDebugPasswd ret()` function to minimize the risk of exploitation. Additionally, restrict access to the `libfds.so` library and its functions, such as `fds sys remoteDebugEnable ret`, to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0 **Description** An issue exists due to a lack of input validation in the `cmd sys traceroute exec()`, `cmd sys arp clear()`, and `cmd sys ping exec()` functions in the libclicmd.so library. This could allow an attacker to execute arbitrary commands on the switches by leveraging these functions to call `system()`. Although these functions are not currently called in this version of the firmware, an attacker could potentially use other vulnerabilities to gain code execution. **Recommendations** For Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `cmd sys traceroute exec()`, `cmd sys arp clear()`, and `cmd sys ping exec()` functions in the libclicmd.so library until a patch is available.