Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now
It's 2020 and pre-auth, superuser command injection is still a thing
Zyxel's network storage boxes, business VPN gateways, firewalls, and, er, security scanners can be remotely hijacked by any miscreant, due to a devastating security hole in the firmware.
The devices' weblogin.cgi program fails to sanitize user input, allowing anyone who can reach one of these vulnerable machines, over the network or across the internet, can silently inject and execute arbitrary commands as a root superuser with no authentication required. That would be a total compromise. It's a 10 out of 10 in terms of severity.
As its name suggests, weblogin.cgi is part of the built-in web-based user interface provided by the firmware, and the commands can be injected via GET or POST HTTP requests.
If a miscreant can't directly connect to a vulnerable Zyxel device, "there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable device," noted Carnegie Mellon's CERT Coordination Center in its advisory on the matter.
"For example, simply visiting a website can result in the compromise of any Zyxel device that is reachable from the client system."
Here's the affected equipment, which will need patching:
- Network-connected storage devices: NAS326, NAS520, NAS540, NAS542
- "Advanced" security firewalls: ATP100, ATP200, ATP500, ATP800
- Security firewalls and gateways: USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100
Fixes can be fetched and installed from Zyxel's website. Meanwhile, the NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 models are no longer supported, and thus no patches are available, but are still vulnerable. The security bug (CVE-2020-9054) is trivial to exploit, unfortunately.
Speaking of bad, exploit code is already on sale for $20,000 in underground forums, and the patched firmware is delivered via unencryped FTP, which can be meddled with by network eavesdroppers.
"Be cautious when updating firmware on affected devices, as the Zyxel firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature," CERT-CC warned.
"For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a Zyxel device."
If you can't patch your Zyxel device, bin it – especially if it's facing the internet. ®