Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now

It's 2020 and pre-auth, superuser command injection is still a thing


Zyxel's network storage boxes, business VPN gateways, firewalls, and, er, security scanners can be remotely hijacked by any miscreant, due to a devastating security hole in the firmware.

The devices' weblogin.cgi program fails to sanitize user input, allowing anyone who can reach one of these vulnerable machines, over the network or across the internet, can silently inject and execute arbitrary commands as a root superuser with no authentication required. That would be a total compromise. It's a 10 out of 10 in terms of severity.

As its name suggests, weblogin.cgi is part of the built-in web-based user interface provided by the firmware, and the commands can be injected via GET or POST HTTP requests.

If a miscreant can't directly connect to a vulnerable Zyxel device, "there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable device," noted Carnegie Mellon's CERT Coordination Center in its advisory on the matter.

"For example, simply visiting a website can result in the compromise of any Zyxel device that is reachable from the client system."

Here's the affected equipment, which will need patching:

  • Network-connected storage devices: NAS326, NAS520, NAS540, NAS542
  • "Advanced" security firewalls: ATP100, ATP200, ATP500, ATP800
  • Security firewalls and gateways: USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100

Fixes can be fetched and installed from Zyxel's website. Meanwhile, the NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 models are no longer supported, and thus no patches are available, but are still vulnerable. The security bug (CVE-2020-9054) is trivial to exploit, unfortunately.

"Command injection within a login page is about as bad as it gets and the lack of any cross-site request forgery token makes this vulnerability particularly dangerous," Craig Young, a researcher with security house Tripwire, told The Register earlier today. "JavaScript running in the browser is enough to identify and exploit vulnerable devices on the network."

Speaking of bad, exploit code is already on sale for $20,000 in underground forums, and the patched firmware is delivered via unencryped FTP, which can be meddled with by network eavesdroppers.

"Be cautious when updating firmware on affected devices, as the Zyxel firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature," CERT-CC warned.

"For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a Zyxel device."

If you can't patch your Zyxel device, bin it – especially if it's facing the internet. ®


Biting the hand that feeds IT © 1998–2020