Zyxel Patched Zero-Day RCE Vulnerability In NAS Devices

The latest victim of an actively exploited zero-day vulnerability is the Taiwan-based firm ‘Zyxel’ whom manufacture networking devices.  Zyxel has addressed a critical zero-day vulnerability in some of its NAS devices that could allow remote code execution.

Zero-Day Vulnerability In Zyxel NAS Devices

The Taiwan-based technology firm Zyxel has made it into the news owing to a serious vulnerability in its network-attached storage devices. The founder of security firm Hold Security, Alex Holden, discovered a serious zero-day vulnerability in Zyxel NAS devices.

As revealed through a blog post, Holden found that exploiting this vulnerability could allow a potential attacker to execute arbitrary code. Worryingly the exploit required no user permission for code execution.

The researcher also noticed active sales of the exploit code on the dark web. He found ransomware gangs interested in the working exploit code which the seller put up for $20,000.

CERT/CC has confirmed the presence of the vulnerability in their advisory. Regarding the details of the bug, the advisory reads,

ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device.

While the webserver doesn’t run with root privileges, an attacker could achieve elevated privileges by abusing the setuid utility. Hence, remote code execution with root privileges would become possible.

Zyxel Patched The Flaw

Upon receiving the alerts for the zero-day under attack, Zyxel worked swiftly to patch the flaw. They confirmed that the vulnerability, CVE-2020-9054, affected numerous devices including NAS326, NAS520, NAS540, and NAS542. While the patches for these are available, users of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325, and NSA325v2 would still remain vulnerable since these devices won’t receive the updates due to end-of-support.

The complete list of devices and the hotfixes is available in Zyxel’s advisory.

Zyxel have recommended limiting access to vulnerable NAS devices and blocking access to the web interface as possible mitigations.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients