Your hacker Blog

Zyxel fixed firewall unauthenticated remote command injection issue

Zyxel addressed a critical flaw affecting Zyxel firewall devices that allows unauthenticated, remote attackers to gain arbitrary code execution.

Zyxel has moved to address a critical security vulnerability (CVE-2022-30525, CVSS score: 9.8) affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution as the “nobody” user.

The issue was discovered by Rapid7 which reported it on April 13.

Zyxel silently addressed the flaw by releasing security updates on April 28, 2022, Rapid7 pointed out that this choice leaves defenders in the dark and only advantage the attackers.

“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user.” reads the report published by Rapid7.

Below is the list of vulnerable products and related patches:

Affected modelAffected firmware versionPatch availabilityUSG FLEX 100(W), 200, 500, 700ZLD V5.00 through ZLD V5.21 Patch 1ZLD V5.30USG FLEX 50(W) / USG20(W)-VPNZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30ATP seriesZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30VPN seriesZLD V4.60 through ZLD V5.21 Patch 1ZLD V5.30According to Rapid 7, there are more than 15,000 internet-facing vulnerable systems tracked by the Shodan search engine. The researchers also developed a Metasploit module for this issue and published a video PoC of the attack:

“Apply the vendor patch as soon as possible. If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system.” concludes the report.

The vendor the following issues in its VMG3312-T20A wireless router and AP Configurator:

a command injection (CVE-2022-26413);a buffer overflow (CVE-2022-26414) a local privilege escalation (CVE-2022-0556) flaw.Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERSVote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Zyxel fixed firewall unauthenticated remote command injection issue appeared first on Security Affairs.