COMMAND

	Zyxel remote DoS

SYSTEMS AFFECTED

	Zyxel Prestige 681 and 1600 (possibly other)

PROBLEM

	Przemyslaw Frasunek reported following vulnerabilities regarding  Zyxel,
	SDSL routers.
	

	 First vulnerability

	

	P681/1600 SDSL module restarts when it receives IP packets  with  ip_len
	< real packet size. Resynchronizing of SDSL takes about 2-3 minutes.
	

	How to repeat:
	

	# iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y

	

	

	 Second vulnerability

	

	P681 (not tested on P1600) device crashes when  it  receives  fragmented
	packet which is longer than 64k after reassembly. This is an old  attack
	known as ping of death.
	

	How to repeat:
	

	

	# iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y

	

	

	 

	 Details

	

	Both crashes can be triggered only when IP packet is targeted  to  Zyxel
	router and comes from SDSL WAN interface.  Device  won\'t  crash  if  it
	works in bridging mode or packet is only forwarded, not processed.
	

	

SOLUTION

	Workaround
	

	Put device in bridging mode  or  filter  ALL  incoming  traffic.  Packet
	filters in ZyNOS  *WILL  NOT*  prevent  from  attack,  traffic  must  be
	blocked before it reaches P681/P1600 device.