"ZSL-2014-5208"? What's going on?

system · 2015-11-05T22:31:03.000Z

I scanned my network for errors, as I do once a week, and I’ve never received any errors or issues. It always told me my network is fine and secure.

However, ever since upgrading to the 2016 version of Avast, it suddenly gives me this warning after the scan: ZSL-2014-5208 (Device can be used to compromise your network). Why? How can I fix this?

Pondus · 2015-11-05T22:58:40.000Z

Do you have a NetGear router?

Pondus · 2015-11-05T23:04:34.000Z

Advisory ID: ZSL-2014-5208 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php

[b]Description[/b]
The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the ‘getpage’ parameter to ‘webproc’ script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.

Update router firmware …

system · 2015-11-05T23:08:57.000Z

Pondus post:3:

Advisory ID: ZSL-2014-5208 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php

[b]Description[/b]
The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the ‘getpage’ parameter to ‘webproc’ script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.

Update router firmware …

To answer your first question, my router is a Bell Home Hub 2000. It might be made by Netgear, I really don’t know.

As for updating the firmware, I don’t think I can do it myself. I think it does that automatically.

Pondus · 2015-11-05T23:12:52.000Z

Did you get the router from your ISP ?

anyway, now you know what it is, so it is up to you, ignore the message, or find out how to update it

system · 2015-11-05T23:18:31.000Z

Pondus post:5:

Did you get the router from your ISP ?

anyway, now you know what it is, so it is up to you, ignore the message, or find out how to update it

Yup, I got it from my ISP. They installed it and everything. I just reboot it once a week to keep it fresh, nothing else.

hugbear · 2015-11-07T20:42:49.000Z

Hi everyone.

I’ve got the same problem, but mine’s a bit weirder

Avast reports 2 issues with my router:

CVE-2014-4019
ZLS-2014-5208

When I go to check the details for these issues, it tells me that I have “rom-0” vulnerability and that I should upgrade my firmware. Avast correctly identifies my router as a TP-Link (based on MAC address I presume) BUT I switched to Gargoyle years ago (currently I’m on ver. 1.7.2) so there’s no trace of the original firmware. Could it be just a false positive based on router’s make?

I also get these:

Your router is infected → it tells me that my DNS settings have been hijacked. I checked them and they seemed OK for my ISP. Just to be on the safe side, I switched them twice - for OpenDNS and Google’s DNS - but Avast keeps telling me my DNS is still hijacked.
Your wireless network is not secure → it is, I’m running WPA2 PSK
Your network router is set to a weak password → it’s 11 alphanum. chars
Your network router is accessible from the Internet → it’s NOT! WAN access has been disabled for HTTP, HTTPS and SSH (see atteched screenshot) and I’ve checked to make sure they’re inaccessible; neither port 80 nor 443 are forwarded
Your router is vulnerable to hacker attacks → that’s that ROM-0 thing
Your network devices are not protected → it says something about IPv6; there’s NO IPv6 support in Gargoyle 1.7.2!

Regarding that ZLS-2014-5208 thing: I’ve never had a Netgear router…

Last week, Avast said my network was fine and dandy. All this weirdness happened today, running Avast Free 2015 on a Win7 laptop AND Avast Free 2016 on a Win10 laptop. Android’s Avast Mobile Security says that “Network is secured”! Go figure…

WHAT to make of all this?

RailroadT · 2015-11-12T22:12:57.000Z

adelaisaer post:1:

I scanned my network for errors, as I do once a week, and I’ve never received any errors or issues. It always told me my network is fine and secure.

However, ever since upgrading to the 2016 version of Avast, it suddenly gives me this warning after the scan: ZSL-2014-5208 (Device can be used to compromise your network). Why? How can I fix this?

I too am having the same problem, also with a Bell Home Hub 2000 provided by my ISP . The actual make and model is a Sagemcom Fast 5250. The information available on the web for this particular vulnerability (ZSL-2014-5208), seems to point to a particular Netgear router. The information in the avast! Home Network Scan indicates the router may need a software/firmware update.

I first contacted my ISP who assured me that it couldn’t possibly be a problem with the modem/router ???. I performed both a cold and warm boot on the modem/router and it did upgrade the firmware. I ran the avast! network scan again and it still reported the issue. Tried rebooting the computer – same thing. I contacted avast! Technical Support, but they were not able to tell me whether it was likely a false positive or an actual vulnerability. It seems that the Name and DNS Name that avast! lists for the router in the network scan has changed (network possibly hacked), but I can’t say for sure.

Does anyone have any information on this vulnerability being reported on this modem/router (i.e. is it a false positive or an actual vulnerability, and have there been any exploits)?

Thanks in advance for any help.

Eddy · 2015-11-12T22:34:26.000Z

https://forum.avast.com/index.php?topic=178861.msg1265990#msg1265990

system · 2016-02-12T17:09:23.000Z

I’m starting to become worried about the effectiveness of Avast. I have the same problem and get the same response from my ISP who have scanned my system and all say there is nothing there.

system · 2016-03-31T20:26:17.000Z

Quote “It seems that there is a issue with Avast Antivirus software, since many customers are reporting this issue, Bell’s Home hub 2000 modem has a latest firmware upgrade and firewall.” Unquote
Bell says there is no problem and to ignore it. ADVAST got it wrong.

hugbear · 2016-04-02T18:47:04.000Z

Everybody gets it wrong sometimes and that’s understandable. It’s not the „getting it wrong” part that’s worrying, but the eery silence on the subject and the lack of apparent progress on the updates.

Well, actually some progress IS visible: right now (11.1.2253 / 160331-2), when I choose to run a “Scan for network threats”, all I get is a blank page - and nothing else…

jursa · 2016-04-04T09:19:27.000Z

Hello,

thanks for the report. It looks like a false positive detection, but for proper analysis we need some logs.

Please follow the guide bellow:

Enable debug logging: GUI → Settings → General → Maitenance → Enable debug logging
Reproduce the issue (Run Home Network Security scan).
Create support package and submit it (guide here https://www.avast.com/en-us/faq.php?article=AVKB33) and post here a message with the ID of created package so we can find it.

Thank you,
David

Eddy · 2016-04-04T09:31:46.000Z

As info :

There is a difference between a ISP/website that scans and avast.
First two scan from the “outside”, avast scans from the “inside”.

smarda · 2016-04-04T12:38:06.000Z

Eddy post:14:

As info :

There is a difference between a ISP/website that scans and avast.
First two scan from the “outside”, avast scans from the “inside”.

Actually, we try to do both. Most scans are done from the inside (the machine that runs avast) but our cloud servers attempt to check if the network is accessible from public internet too.

lukor · 2016-04-05T00:32:01.000Z

Hi guys,

just a little explanation, this vulnerability ZLS-2014-5208 is really reported for Netgear routers (see more info e.g. here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php), but when Avast Home Network Security is testing for the vulnerability, it does not limit itself to Netgear only.

In this specific case, the vulnerability shows that with a specially crafted URL request, the attacker is able to read files from the router, without being authenticated (without knowing the router’s password). This is a real security risk. In Home Network Security Scan we are doing exactly that, we send a HTTP query and read the response - matching the response body against some keywords to find out if the router is vulnerable or not.

Without the logs we can hardly say if Bell Home Hub modem also response to these URLs with a valid unauthenticated file contents and is also vulnerable, similarly to Netgear. It is possible, or it might return a “Access denied” page that confuses us - making it a false positive.

We will be more that greatful for anyone with Bell Home Hub modem to send us the scan logs to improve the checks!
Thanks!

Lukas.

Announcements