Heads up, Zyxel customers! A severe security vulnerability riddled Zyxel firewalls, allowing remote command injection. Since the vendors have patched the bug already, users must ensure they have the latest patch installed.
Zyxel Firewalls Vulnerability
Researchers from Rapid7 have found a severe vulnerability affecting Zyxel firewalls. As explained in their post, the bug affected numerous devices, threatening the security of many users globally.
Specifically, the researchers noticed an OS command injection vulnerability that could allow remote attacks. An unauthenticated adversary could quickly attack the target devices and execute malicious commands. Describing the flaw, the researchers stated,
“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the
nobody
user. This vulnerability is exploited through the/ztp/cgi-bin/handler
URI and is the result of passing unsanitized attacker input into theos.system
method inlib_wan_settings.py
. The vulnerable functionality is invoked in association with thesetWanPortSt
command. An attacker can inject arbitrary commands into themtu
or thedata
parameter.
The vulnerability has received the ID number CVE-2022-30525, with a critical severity rating and a CVSS score of 9.8.
What made this bug even more severe was the easy availability of 15,000 affected device models on Shodan. That means a potential adversary could affect thousands of users globally had the bug been discovered.
Patch Deployed (Silently?)
Rapid7 explained that they responsibly disclosed the bug to the vendors, setting up a coordinated disclosure deadline in June. While Zyxel acknowledged the bug and worked on developing the fix, they also released the patch quickly (in April 2022).
Though such a quick response is appreciable, the researchers highlight how the vendors didn’t disclose the patch. Hence, this action risked patch reversal by an adversary to exploit the flaw.
This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this.
Eventually, as Rapid7 noticed the patch, they stepped ahead with the public disclosure, around the same time as Zyxel.
Hence now, all users of affected Zyxel firewall models should patch their devices with the latest updates to remain safe. Zyxel has released the following firmware versions with the patches.
- USG FLEX 100, 100W, 200, 500, 700: firmware version ZLD5.00 thru ZLD5.21 Patch 1
- USG20-VPN, USG20W-VPN: firmware version ZLD5.10 thru ZLD5.21 Patch 1
- ATP 100, 200, 500, 700, 800: firmware version ZLD5.10 thru ZLD5.21 Patch 1
Let us know your thoughts in the comments.