Serious Privilege Escalation Vulnerability Found In Zyxel Firewall

Security researchers discovered a serious vulnerability in the Zyxel Firewall, allowing for local privilege escalation. However, a remote attacker could also exploit the flaw, adding to the severity of the issue. Thankfully, Zyxel patched the vulnerability following the report, avoiding any malicious exploitation.

Zyxel Firewall Vulnerability

Elaborating their findings in a recent post, Rapid7 researchers mentioned how they found a local privilege escalation vulnerability affecting the Zyxel firewall. According to the researchers, the products affected by this vulnerability include,

  • USG FLEX 100, 100W, 200, 500, 700
  • USG20-VPN, USG20W-VPN
  • ATP 100, 200, 500, 700, 800
  • VPN 50, 100, 300, 1000

These firewalls typically aim at serving corporate customers, offering email security, web filtering, SSL inspection, intrusion protection, and VPN.

Specifically, the vulnerability for allowed a low-privileged authenticated user to gain root access on target devices. Triggering the vulnerability involves exploiting the zysudo.suid binary, which allows a low-privileged user to execute different permitted (allow-list) commands. The researchers noticed that many of these commands allow command injection and arbitrary file-write to the users. But one such file root/var/zyxel/crontab was of primary concern as it allowed an attacker to gain root access.

Describing the PoC exploit, the researchers stated,

The attacker copies the active crontab to /tmp/. Then they use echo to create a new script called /tmp/exec_me. The new script, when executed, will start a reverse shell to 10.0.0.28:1270. Execution of the new script is appended to /tmp/crontab. Then /var/zyxel/crontab is overwritten with the malicious /tmp/crontab using zysudo.suid. cron will execute the appended command as root within the next 60 seconds.

While the vulnerability apparently facilitates local users, the researchers explained that a remote attacker could also exploit the flaw. Doing so merely required the attacker to exploit another related flaw, like the CVE-2022-30525.

Patch Deployed

Following this discovery, the researchers reached out to Zyxel officials. In response, the vendors patched the vulnerability across multiple products.

As elaborated in Zyxel’s advisory, the vendors patched this vulnerability together with another flaw CVE-2022-2030. The advisory also lists the details about the patched firmware versions that users can refer to update their devices accordingly.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients