Author Topic: "ZSL-2014-5208"? What's going on?  (Read 19609 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
"ZSL-2014-5208"? What's going on?
« on: November 05, 2015, 11:31:03 PM »
I scanned my network for errors, as I do once a week, and I've never received any errors or issues. It always told me my network is fine and secure.

However, ever since upgrading to the 2016 version of Avast, it suddenly gives me this warning after the scan: ZSL-2014-5208 (Device can be used to compromise your network). Why? How can I fix this?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: "ZSL-2014-5208"? What's going on?
« Reply #1 on: November 05, 2015, 11:58:40 PM »
Do you have a NetGear router?


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: "ZSL-2014-5208"? What's going on?
« Reply #2 on: November 06, 2015, 12:04:34 AM »
Advisory ID: ZSL-2014-5208    http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php

Quote
Description

The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.


Update router firmware ...


REDACTED

  • Guest
Re: "ZSL-2014-5208"? What's going on?
« Reply #3 on: November 06, 2015, 12:08:57 AM »
Advisory ID: ZSL-2014-5208    http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php

Quote
Description

The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.


Update router firmware ...

To answer your first question, my router is a Bell Home Hub 2000. It might be made by Netgear, I really don't know.

As for updating the firmware, I don't think I can do it myself. I think it does that automatically.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: "ZSL-2014-5208"? What's going on?
« Reply #4 on: November 06, 2015, 12:12:52 AM »
Did you get the router from your ISP ?

anyway, now you know what it is, so it is up to you, ignore the message, or find out how to update it


REDACTED

  • Guest
Re: "ZSL-2014-5208"? What's going on?
« Reply #5 on: November 06, 2015, 12:18:31 AM »
Did you get the router from your ISP ?

anyway, now you know what it is, so it is up to you, ignore the message, or find out how to update it

Yup, I got it from my ISP. They installed it and everything. I just reboot it once a week to keep it fresh, nothing else.

Offline hugbear

  • Newbie
  • *
  • Posts: 5
Re: "ZSL-2014-5208"? What's going on?
« Reply #6 on: November 07, 2015, 09:42:49 PM »
Hi everyone.

I've got the same problem, but mine's a bit weirder :)

Avast reports 2 issues with my router:
1. CVE-2014-4019
2. ZLS-2014-5208

When I go to check the details for these issues, it tells me that I have "rom-0" vulnerability and that I should upgrade my firmware. Avast correctly identifies my router as a TP-Link (based on MAC address I presume) BUT I switched to Gargoyle years ago (currently I'm on ver. 1.7.2) so there's no trace of the original firmware. Could it be just a false positive based on router's make?

I also get these:
1. Your router is infected -> it tells me that my DNS settings have been hijacked. I checked them and they seemed OK for my ISP. Just to be on the safe side, I switched them twice - for OpenDNS and Google's DNS - but Avast keeps telling me my DNS is still hijacked.
2. Your wireless network is not secure -> it is,  I'm running WPA2 PSK
3. Your network router is set to a weak password -> it's 11 alphanum. chars
4. Your network router is accessible from the Internet -> it's NOT! WAN access has been disabled for HTTP, HTTPS and SSH (see atteched screenshot) and I've checked to make sure they're inaccessible; neither port 80 nor 443 are forwarded
5. Your router is vulnerable to hacker attacks -> that's that ROM-0 thing
6. Your network devices are not protected -> it says something about IPv6; there's NO IPv6 support in Gargoyle 1.7.2!

Regarding that ZLS-2014-5208 thing: I've never had a Netgear router...


Last week, Avast said my network was fine and dandy. All this weirdness happened today, running Avast Free 2015 on a Win7 laptop AND Avast Free 2016 on a Win10 laptop. Android's Avast Mobile Security says that "Network is secured"! Go figure...


WHAT to make of all this?



« Last Edit: November 07, 2015, 10:10:39 PM by hugbear »

Offline RailroadT

  • Newbie
  • *
  • Posts: 15
Re: "ZSL-2014-5208"? What's going on?
« Reply #7 on: November 12, 2015, 11:12:57 PM »
I scanned my network for errors, as I do once a week, and I've never received any errors or issues. It always told me my network is fine and secure.

However, ever since upgrading to the 2016 version of Avast, it suddenly gives me this warning after the scan: ZSL-2014-5208 (Device can be used to compromise your network). Why? How can I fix this?

I too am having the same problem, also with a Bell Home Hub 2000 provided by my ISP .  The actual make and model is a Sagemcom Fast 5250.  The information available on the web for this particular vulnerability (ZSL-2014-5208), seems to point to a particular Netgear router.  The information in the avast! Home Network Scan indicates the router may need a software/firmware update.

I first contacted my ISP who assured me that it couldn't possibly be a problem with the modem/router  ???.  I performed both a cold and warm boot on the modem/router and it did upgrade the firmware.  I ran the avast! network scan again and it still reported the issue.  Tried rebooting the computer -- same thing.  I contacted avast! Technical Support, but they were not able to tell me whether it was likely a false positive or an actual vulnerability.  It seems that the Name and DNS Name that avast! lists for the router in the network scan has changed (network possibly hacked), but I can't say for sure.

Does anyone have any information on this vulnerability being reported on this modem/router (i.e. is it a false positive or an actual vulnerability, and have there been any exploits)?  :P

Thanks in advance for any help.


REDACTED

  • Guest
Re: "ZSL-2014-5208"? What's going on?
« Reply #9 on: February 12, 2016, 06:09:23 PM »
I'm starting to become worried about the effectiveness of Avast. I have the same problem and get the same response from my ISP who have scanned my system and all say there is nothing there.

REDACTED

  • Guest
Re: "ZSL-2014-5208"? What's going on?
« Reply #10 on: March 31, 2016, 10:26:17 PM »
Quote "It seems that there is a issue with Avast Antivirus software, since many customers are reporting this issue, Bell's Home hub 2000 modem has a latest firmware upgrade and firewall." Unquote
Bell says there is no problem and to ignore it. ADVAST got it wrong.

Offline hugbear

  • Newbie
  • *
  • Posts: 5
Re: "ZSL-2014-5208"? What's going on?
« Reply #11 on: April 02, 2016, 08:47:04 PM »
Everybody gets it wrong sometimes and that's understandable. It's not the „getting it wrong” part that's worrying, but the eery silence on the subject and the lack of apparent progress on the updates.

Well, actually some progress IS visible: right now (11.1.2253 / 160331-2), when I choose to run a "Scan for network threats", all I get is a blank page - and nothing else....

Offline jursa

  • Avast team
  • Jr. Member
  • *
  • Posts: 39
Re: "ZSL-2014-5208"? What's going on?
« Reply #12 on: April 04, 2016, 11:19:27 AM »
Hello,

thanks for the report. It looks like a false positive detection, but for proper analysis we need some logs.

Please follow the guide bellow:
- Enable debug logging: GUI -> Settings -> General -> Maitenance -> Enable debug logging
- Reproduce the issue (Run Home Network Security scan).
- Create support package and submit it (guide here https://www.avast.com/en-us/faq.php?article=AVKB33) and post here a message with the ID of created package so we can find it.

Thank you,
David

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: "ZSL-2014-5208"? What's going on?
« Reply #13 on: April 04, 2016, 11:31:46 AM »
As info :

There is a difference between a ISP/website that scans and avast.
First two scan from the "outside", avast scans from the "inside".

Offline smarda

  • Avast team
  • Newbie
  • *
  • Posts: 2
Re: "ZSL-2014-5208"? What's going on?
« Reply #14 on: April 04, 2016, 02:38:06 PM »
As info :

There is a difference between a ISP/website that scans and avast.
First two scan from the "outside", avast scans from the "inside".

Actually, we try to do both. Most scans are done from the inside (the machine that runs avast) but our cloud servers attempt to check if the network is accessible from public internet too.