CVE-2018-1164 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2018-1164?

CVE-2018-1164 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to reboot ZyXEL DSL routers without authentication by exploiting improper access controls in CGI endpoints. It affects ZyXEL P-870H-51 routers running specific firmware versions. The vulnerability enables denial-of-service attacks and potentially other unauthorized actions.

📋 TL;DR

This vulnerability allows remote attackers to reboot ZyXEL DSL routers without authentication by exploiting improper access controls in CGI endpoints. It affects ZyXEL P-870H-51 routers running specific firmware versions. The vulnerability enables denial-of-service attacks and potentially other unauthorized actions.

💻 Affected Systems

Products:

ZyXEL P-870H-51 DSL Router

Versions: 1.00(AWG.3)D5 and likely earlier versions

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default. The vulnerability exists in multiple CGI endpoints.

📦 What is this software?

P 870h 51 Firmware by Zyxel

View all CVEs affecting P 870h 51 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial-of-service rendering the router unusable, potential for additional unauthorized administrative actions beyond rebooting, and service disruption for all connected users.

🟠

Likely Case

Intermittent service disruption through router reboots, causing temporary network outages for connected devices and users.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent external access to router management interfaces.

🌐 Internet-Facing: HIGH - The vulnerability requires no authentication and affects internet-facing routers, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to the router's management interface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to specific CGI endpoints. No authentication needed. Was disclosed through ZDI-CAN-4540.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions from ZyXEL

Vendor Advisory: https://www.zyxel.com/support/security_advisories.shtml

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from ZyXEL support site. 3. Upload firmware through router web interface. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable WAN Management Access

all

Prevent external access to router management interface by disabling WAN-side administration

Access router web interface > Advanced Setup > Remote Management > Disable WAN access

Network Segmentation

all

Place router management interface on isolated VLAN with strict access controls

🧯 If You Can't Patch

Implement strict firewall rules to block all external access to router management ports (typically 80, 443, 8080)
Deploy network monitoring to detect and alert on unauthorized reboot attempts or suspicious CGI endpoint access

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Maintenance > System Info. If version is 1.00(AWG.3)D5 or earlier, likely vulnerable.

Check Version:

curl -s http://router-ip/maintenance/system_info.cgi | grep Firmware

Verify Fix Applied:

Verify firmware version is updated to a version later than 1.00(AWG.3)D5. Test that CGI endpoints no longer accept unauthenticated reboot commands.

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP POST requests to CGI endpoints from unauthorized sources
Router reboot events without administrative action
Access to /cgi-bin/reboot.cgi or similar endpoints

Network Indicators:

HTTP traffic to router management interface from external IPs
POST requests to CGI endpoints without preceding authentication

SIEM Query:

source="router-logs" AND (uri="/cgi-bin/reboot.cgi" OR uri="/cgi-bin/*.cgi") AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2018-1164

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: February 21, 2018

Last Updated: November 21, 2024

🔗 References

https://zerodayinitiative.com/advisories/ZDI-18-135 Third Party Advisory,VDB Entry
https://zerodayinitiative.com/advisories/ZDI-18-135 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1164, you might also want to check these: