Zyxel statement to vulnerability CVE-2017-3216

A recently uncovered vulnerability identified in US-CERT vulnerability note VU#350135 and CVE Advisory CVE-2017-3216 exposes a security weakness in the web-based administration interface of Zyxel WiMAX Client Premise Equipment (CPE). The vulnerability could allow an unauthenticated attacker to change the administrator password on the device.

Zyxel has conducted a thorough investigation and is now working on the solutions for the susceptible models, as listed in Table 1.

Workarounds

Zyxel suggests users of the susceptible devices disable WAN device management function following the steps below:

  1. Log in the web-based management interface of the device
  2. Click “Maintenance” and “Remote MGMT”
  3. Disable (unclick) “HTTP and HTTPs – allow connection from WAN”
  4. Save the setting

 

Table 1. Susceptible models

Product Model name Fix schedule
WiMAX CPE MAX218M June 16 2017
MAX218M1W June 23 2017
MAX218MW June 30 2017
MAX308M July 7 2017
MAX318M July 14 2017
MAX338M July 21 2017

Please contact your local service representative if you require further information or assistance. To report a security vulnerability, please contact security@zyxel.com.tw