search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ZyXEL pre-authentication command injection in weblogin.cgi

Vulnerability Note VU#498544

Original Release Date: 2020-02-24 | Last Revised: 2020-02-26

Overview

Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.

Description

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.

Exploit code for this vulnerability that targets NAS devices is available on the internet. For this reason, we have created a PoC exploit that has the ability to power down affected ZyXEL NAS devices.

Impact

By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system.

Solution

Apply an update

ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices. Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 as well as some other ZyXEL devices may not be able to install firmware updates, as these devices are no longer supported. Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature. For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device.

Please also consider the following workarounds:

Block access to the ZyXEL device web interface

This issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet.

Restrict access to vulnerable ZyXEL devices

Direct exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page.

Vendor Information

498544
 

Zyxel Affected

Notified:  February 15, 2020 Updated: February 24, 2020

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.5 E:F/RL:U/RC:C
Environmental 7.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Brian Krebs for notifying us of the exploit availability, which was uncovered by Alex Holden of Hold Security.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2020-9054
Date Public: 2020-02-12
Date First Published: 2020-02-24
Date Last Updated: 2020-02-26 16:16 UTC
Document Revision: 42

Sponsored by CISA.