Network storage boxes, corporate VPN gateways, firewalls and, consequently, Zyxel security scanners can be hijacked remotely by any attacker, due to a devastating security breach in the firmware.
The devices weblogin.cgi program cannot disinfect user input, allowing anyone who is able to reach one of these vulnerable machines, through the network or the Internet, to be able to silently inject and execute arbitrary commands as superuser root without requiring authentication. It would be a total compromise. It’s a 10 out of 10 in terms of severity.
As the name suggests, weblogin.cgi is part of the integrated web-based user interface provided by the firmware and commands can be injected via GET or POST HTTP requests.
If an unbeliever cannot connect directly to a vulnerable Zyxel device, “there are ways to trigger such prompts even if an attacker does not have direct connectivity to a vulnerable device,” noted Carnegie Mellon’s CERT Coordination Center in his advice on the matter.
“For example, simply visiting a website can compromise any Zyxel device accessible from the client system.”
Here is the affected equipment, which will need patching:
- Network connected storage devices: NAS326, NAS520, NAS540, NAS542
- “Advanced” security firewalls: ATP100, ATP200, ATP500, ATP800
- Firewalls and security gateways: USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310 and ZyWALL310
Corrections can be retrieved and installed from the Zyxel website. In the meantime, the models NSA210, NSA220, NSA220 +, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 are no longer supported, therefore patches are not available, but are still vulnerable. Unfortunately, the security bug (CVE-2020-9054) is trivial to exploit.
Speaking of bad code, the exploit is already on sale for $ 20,000 in the underground forums and the patched firmware is delivered via unencrypted FTP, which can be intercepted by network eavesdroppers.
“Be careful when updating the firmware on the affected devices, since the Zyxel firmware update process both uses an insecure channel (FTP) for retrieval of updates and the firmware files are verified only by the checksum rather than by the cryptographic signature”, he warned CERT-CC.
“For these reasons, any attacker who has control over DNS or IP routing may be able to cause malicious firmware to be installed on a Zyxel device.”
If you can’t patch your Zyxel device, bin bin – especially if it’s facing the Internet. ®
Get out of your addiction to storage space