Security researchers discovered a serious vulnerability in the Zyxel Firewall, allowing for local privilege escalation. However, a remote attacker could also exploit the flaw, adding to the severity of the issue. Thankfully, Zyxel patched the vulnerability following the report, avoiding any malicious exploitation.
Zyxel Firewall Vulnerability
Elaborating their findings in a recent post, Rapid7 researchers mentioned how they found a local privilege escalation vulnerability affecting the Zyxel firewall. According to the researchers, the products affected by this vulnerability include,
- USG FLEX 100, 100W, 200, 500, 700
- USG20-VPN, USG20W-VPN
- ATP 100, 200, 500, 700, 800
- VPN 50, 100, 300, 1000
These firewalls typically aim at serving corporate customers, offering email security, web filtering, SSL inspection, intrusion protection, and VPN.
Specifically, the vulnerability for allowed a low-privileged authenticated user to gain root access on target devices. Triggering the vulnerability involves exploiting the zysudo.suid
binary, which allows a low-privileged user to execute different permitted (allow-list) commands. The researchers noticed that many of these commands allow command injection and arbitrary file-write to the users. But one such file root
: /var/zyxel/crontab
was of primary concern as it allowed an attacker to gain root access.
Describing the PoC exploit, the researchers stated,
The attacker copies the active
crontab
to/tmp/
. Then they useecho
to create a new script called/tmp/exec_me
. The new script, when executed, will start a reverse shell to 10.0.0.28:1270. Execution of the new script is appended to/tmp/crontab
. Then/var/zyxel/crontab
is overwritten with the malicious/tmp/crontab
usingzysudo.suid
.cron
will execute the appended command asroot
within the next 60 seconds.
While the vulnerability apparently facilitates local users, the researchers explained that a remote attacker could also exploit the flaw. Doing so merely required the attacker to exploit another related flaw, like the CVE-2022-30525.
Patch Deployed
Following this discovery, the researchers reached out to Zyxel officials. In response, the vendors patched the vulnerability across multiple products.
As elaborated in Zyxel’s advisory, the vendors patched this vulnerability together with another flaw CVE-2022-2030. The advisory also lists the details about the patched firmware versions that users can refer to update their devices accordingly.
Let us know your thoughts in the comments.