|
|
| |
| Zyxel Prestige 681 SDSL router is vulnerable to remote denial of service attack. By sending malformed packets, it is possible to bring down DSL link for few minutes. The problem persists only if packets come from DSL interface, not from Ethernet. ZyNOS reports that line is synchronizing and it takes about 2-3 minutes before link is up. |
| |
Credit:
The information has been provided by Przemyslaw Frasunek.
|
| |
First vulnerability:
P681/1600 SDSL module restarts when it receives IP packets with ip_len < real packet size. Re-synchronizing of SDSL takes about 2-3 minutes.
How to recreate:
# iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y
Second vulnerability:
P681 (not tested on P1600) device crashes when it receives fragmented packet that is longer than 64k after reassembly. This is an old attack known as ping of death.
How to recreate:
# iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y
The IPTest is part of the IPFilter package that can be downloaded from:
http://coombs.anu.edu.au/ipfilter/
Details:
Both crashes can be triggered only when IP packet is targeted to Zyxel router and comes from SDSL WAN interface. The device will not crash if it works in bridging mode or if packets are only forwarded, not processed.
Workaround:
Put device in bridging mode or filter ALL incoming traffic. Packet filters in ZyNOS WILL NOT prevent the attack; traffic must be blocked before it reaches P681/P1600 device.
Vendor status:
The vendor has been contacted no response has been received.
|
|
|
|
|
|
|
|
