The management portal on ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 does not terminate sessions upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.
ZyXEL PMG5318-B20A devices are vulnerable to a critical session management flaw. This vulnerability allows remote attackers to maintain unauthorized access to the device's management portal even after a user logs out, potentially leading to complete device compromise and network infiltration. Exploitation is straightforward and requires no advanced skills, posing a significant risk to organizations using these devices.
Step 1: Legitimate Login: A user successfully authenticates to the ZyXEL PMG5318-B20A's management portal, establishing a valid session.
Step 2: Logout Attempt: The user initiates a logout action through the management portal.
Step 3: Session Persistence: The logout process fails to properly terminate the user's session on the server-side. The session ID or token remains active.
Step 4: Session Reuse: An attacker, either physically present at the device or with network access, can access the management portal using the same browser or by crafting a request with the original session cookie or token.
Step 5: Unauthorized Access: The attacker gains unauthorized access to the management portal, potentially allowing them to modify device configurations, extract sensitive information, or use the device as a launchpad for further attacks.
The root cause of CVE-2015-6019 lies in the failure of the ZyXEL PMG5318-B20A's management portal to properly invalidate or terminate user sessions upon logout. Specifically, the logout function does not clear the session identifiers or tokens stored on the server-side, nor does it invalidate the client-side cookies or session data. This allows an attacker to reuse the existing session credentials, effectively bypassing the intended access controls. The flaw likely stems from a lack of proper session management implementation, such as missing session timeouts, insufficient session ID invalidation, and a failure to clear session-related data upon logout. The absence of these security measures allows an attacker to maintain access indefinitely.