CVE-2024-38270

An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48hpv2:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:gs1900-48_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24hpv2:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24ep_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24ep:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24e:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:zyxel:gs1900-16_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-16:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:zyxel:gs1900-10hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-10hp:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:zyxel:gs1900-8hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8hp:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:zyxel:gs1900-8_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8:-:*:*:*:*:*:*:*

History

18 Sep 2024, 18:23

Type Values Removed Values Added
First Time Zyxel gs1900-48
Zyxel gs1900-48hpv2 Firmware
Zyxel gs1900-24ep
Zyxel gs1900-8 Firmware
Zyxel gs1900-24ep Firmware
Zyxel gs1900-48 Firmware
Zyxel
Zyxel gs1900-24e Firmware
Zyxel gs1900-16 Firmware
Zyxel gs1900-10hp Firmware
Zyxel gs1900-24e
Zyxel gs1900-8hp
Zyxel gs1900-24 Firmware
Zyxel gs1900-48hpv2
Zyxel gs1900-8hp Firmware
Zyxel gs1900-24
Zyxel gs1900-24hpv2 Firmware
Zyxel gs1900-10hp
Zyxel gs1900-8
Zyxel gs1900-24hpv2
Zyxel gs1900-16
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 6.5
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024 - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024 - Vendor Advisory
CPE cpe:2.3:o:zyxel:gs1900-10hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-8_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-10hp:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48hpv2:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-16:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-48_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24ep:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24hpv2:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24e:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8hp:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-8hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24ep_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-16_firmware:*:*:*:*:*:*:*:*

10 Sep 2024, 12:09

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de entropía insuficiente causada por el uso indebido de una función de aleatoriedad con baja entropía para la generación de tokens de autenticación web en la versión de firmware V2.80(AAZI.0)C0 de Zyxel GS1900-10HP. Esta vulnerabilidad podría permitir que un atacante basado en LAN tenga una pequeña posibilidad de obtener un token de sesión válido si hay varias sesiones autenticadas activas.

10 Sep 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-10 02:15

Updated : 2024-09-18 18:23


NVD link : CVE-2024-38270

Mitre link : CVE-2024-38270

CVE.ORG link : CVE-2024-38270


JSON object : View

Products Affected

zyxel

  • gs1900-16
  • gs1900-16_firmware
  • gs1900-24
  • gs1900-48_firmware
  • gs1900-48
  • gs1900-24hpv2_firmware
  • gs1900-8_firmware
  • gs1900-24e_firmware
  • gs1900-48hpv2_firmware
  • gs1900-24_firmware
  • gs1900-8
  • gs1900-8hp
  • gs1900-10hp
  • gs1900-8hp_firmware
  • gs1900-24e
  • gs1900-48hpv2
  • gs1900-24ep_firmware
  • gs1900-24hpv2
  • gs1900-24ep
  • gs1900-10hp_firmware
CWE
CWE-331

Insufficient Entropy