Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: adelaisaer on November 05, 2015, 11:31:03 PM

Title: "ZSL-2014-5208"? What's going on?
Post by: adelaisaer on November 05, 2015, 11:31:03 PM
I scanned my network for errors, as I do once a week, and I've never received any errors or issues. It always told me my network is fine and secure.

However, ever since upgrading to the 2016 version of Avast, it suddenly gives me this warning after the scan: ZSL-2014-5208 (Device can be used to compromise your network). Why? How can I fix this?
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: Pondus on November 05, 2015, 11:58:40 PM
Do you have a NetGear router?

Title: Re: "ZSL-2014-5208"? What's going on?
Post by: Pondus on November 06, 2015, 12:04:34 AM
Advisory ID: ZSL-2014-5208    http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php

Quote
Description

The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.


Update router firmware ...

Title: Re: "ZSL-2014-5208"? What's going on?
Post by: adelaisaer on November 06, 2015, 12:08:57 AM
Advisory ID: ZSL-2014-5208    http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php

Quote
Description

The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.


Update router firmware ...

To answer your first question, my router is a Bell Home Hub 2000. It might be made by Netgear, I really don't know.

As for updating the firmware, I don't think I can do it myself. I think it does that automatically.
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: Pondus on November 06, 2015, 12:12:52 AM
Did you get the router from your ISP ?

anyway, now you know what it is, so it is up to you, ignore the message, or find out how to update it

Title: Re: "ZSL-2014-5208"? What's going on?
Post by: adelaisaer on November 06, 2015, 12:18:31 AM
Did you get the router from your ISP ?

anyway, now you know what it is, so it is up to you, ignore the message, or find out how to update it

Yup, I got it from my ISP. They installed it and everything. I just reboot it once a week to keep it fresh, nothing else.
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: hugbear on November 07, 2015, 09:42:49 PM
Hi everyone.

I've got the same problem, but mine's a bit weirder :)

Avast reports 2 issues with my router:
1. CVE-2014-4019
2. ZLS-2014-5208

When I go to check the details for these issues, it tells me that I have "rom-0" vulnerability and that I should upgrade my firmware. Avast correctly identifies my router as a TP-Link (based on MAC address I presume) BUT I switched to Gargoyle years ago (currently I'm on ver. 1.7.2) so there's no trace of the original firmware. Could it be just a false positive based on router's make?

I also get these:
1. Your router is infected -> it tells me that my DNS settings have been hijacked. I checked them and they seemed OK for my ISP. Just to be on the safe side, I switched them twice - for OpenDNS and Google's DNS - but Avast keeps telling me my DNS is still hijacked.
2. Your wireless network is not secure -> it is,  I'm running WPA2 PSK
3. Your network router is set to a weak password -> it's 11 alphanum. chars
4. Your network router is accessible from the Internet -> it's NOT! WAN access has been disabled for HTTP, HTTPS and SSH (see atteched screenshot) and I've checked to make sure they're inaccessible; neither port 80 nor 443 are forwarded
5. Your router is vulnerable to hacker attacks -> that's that ROM-0 thing
6. Your network devices are not protected -> it says something about IPv6; there's NO IPv6 support in Gargoyle 1.7.2!

Regarding that ZLS-2014-5208 thing: I've never had a Netgear router...


Last week, Avast said my network was fine and dandy. All this weirdness happened today, running Avast Free 2015 on a Win7 laptop AND Avast Free 2016 on a Win10 laptop. Android's Avast Mobile Security says that "Network is secured"! Go figure...


WHAT to make of all this?



Title: Re: "ZSL-2014-5208"? What's going on?
Post by: RailroadT on November 12, 2015, 11:12:57 PM
I scanned my network for errors, as I do once a week, and I've never received any errors or issues. It always told me my network is fine and secure.

However, ever since upgrading to the 2016 version of Avast, it suddenly gives me this warning after the scan: ZSL-2014-5208 (Device can be used to compromise your network). Why? How can I fix this?

I too am having the same problem, also with a Bell Home Hub 2000 provided by my ISP .  The actual make and model is a Sagemcom Fast 5250.  The information available on the web for this particular vulnerability (ZSL-2014-5208), seems to point to a particular Netgear router.  The information in the avast! Home Network Scan indicates the router may need a software/firmware update.

I first contacted my ISP who assured me that it couldn't possibly be a problem with the modem/router  ???.  I performed both a cold and warm boot on the modem/router and it did upgrade the firmware.  I ran the avast! network scan again and it still reported the issue.  Tried rebooting the computer -- same thing.  I contacted avast! Technical Support, but they were not able to tell me whether it was likely a false positive or an actual vulnerability.  It seems that the Name and DNS Name that avast! lists for the router in the network scan has changed (network possibly hacked), but I can't say for sure.

Does anyone have any information on this vulnerability being reported on this modem/router (i.e. is it a false positive or an actual vulnerability, and have there been any exploits)?  :P

Thanks in advance for any help.
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: Eddy on November 12, 2015, 11:34:26 PM
https://forum.avast.com/index.php?topic=178861.msg1265990#msg1265990
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: leader_dawg on February 12, 2016, 06:09:23 PM
I'm starting to become worried about the effectiveness of Avast. I have the same problem and get the same response from my ISP who have scanned my system and all say there is nothing there.
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: mdicristofano on March 31, 2016, 10:26:17 PM
Quote "It seems that there is a issue with Avast Antivirus software, since many customers are reporting this issue, Bell's Home hub 2000 modem has a latest firmware upgrade and firewall." Unquote
Bell says there is no problem and to ignore it. ADVAST got it wrong.
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: hugbear on April 02, 2016, 08:47:04 PM
Everybody gets it wrong sometimes and that's understandable. It's not the „getting it wrong” part that's worrying, but the eery silence on the subject and the lack of apparent progress on the updates.

Well, actually some progress IS visible: right now (11.1.2253 / 160331-2), when I choose to run a "Scan for network threats", all I get is a blank page - and nothing else....
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: jursa on April 04, 2016, 11:19:27 AM
Hello,

thanks for the report. It looks like a false positive detection, but for proper analysis we need some logs.

Please follow the guide bellow:
- Enable debug logging: GUI -> Settings -> General -> Maitenance -> Enable debug logging
- Reproduce the issue (Run Home Network Security scan).
- Create support package and submit it (guide here https://www.avast.com/en-us/faq.php?article=AVKB33) and post here a message with the ID of created package so we can find it.

Thank you,
David
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: Eddy on April 04, 2016, 11:31:46 AM
As info :

There is a difference between a ISP/website that scans and avast.
First two scan from the "outside", avast scans from the "inside".
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: smarda on April 04, 2016, 02:38:06 PM
As info :

There is a difference between a ISP/website that scans and avast.
First two scan from the "outside", avast scans from the "inside".

Actually, we try to do both. Most scans are done from the inside (the machine that runs avast) but our cloud servers attempt to check if the network is accessible from public internet too.
Title: Re: "ZSL-2014-5208"? What's going on?
Post by: lukor on April 05, 2016, 02:32:01 AM
Hi guys,

just a little explanation, this vulnerability ZLS-2014-5208 is really reported for Netgear routers (see more info e.g. here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php), but when Avast Home Network Security is testing for the vulnerability, it does not limit itself to Netgear only.

In this specific case, the vulnerability shows that with a specially crafted URL request, the attacker is able to read files from the router, without being authenticated (without knowing the router's password). This is a real security risk. In Home Network Security Scan we are doing exactly that, we send a HTTP query and read the response - matching the response body against some keywords to find out if the router is vulnerable or not.

Without the logs we can hardly say if Bell Home Hub modem also response to these URLs with a valid unauthenticated file contents and is also vulnerable, similarly to Netgear. It is possible, or it might return a "Access denied" page that confuses us - making it a false positive.

We will be more that greatful for anyone with Bell Home Hub modem to send us the scan logs to improve the checks!
Thanks!

Lukas.