Info

Disclosure

Aug 10, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

By default, Zyxel ZyWall comes with a default password. The admin account has a password which is publicly known and documented. This allows attackers to trivially access the program or system, either from local network or exploiting the Cross-Site Request Forgery -vulnerability discovered in the web management interface.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management, Misconfiguration
Impact: Loss of Integrity
Solution: Change Default Setting
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Immediately after installation, change all default installed accounts to use a unique and secure password. When possible, change default account names to custom names as well.

Products

Unknown or Incomplete

References

CVE ID: 2007-4316 (see also: NVD)
Secunia Advisory ID: 26381
ISS X-Force ID: 35914
Related OSVDB ID: 37670
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0137.html
Other Advisory URL: http://securityreason.com/securityalert/3002
http://www.louhi.fi/advisory/zyxel_070810.txt

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/37669