Earlier this week, critical RCE vulnerability became known CVE-2020-9054. It was reported that the bug scored 10 points out of 10 possible on the CVSS vulnerability rating scale, and is a danger to Zyxel's NAS.
The root of the problem is hidden in the weblogin.cgi file: a bug occurs due to incorrect cleaning of the username parameter. That is, if username includes certain characters, a vulnerability appears and it can be used to inject commands with web server privileges. After that, an attacker can use the setuid utility to run arbitrary commands with root privileges.
Ultimately, a remote attacker is able to execute arbitrary code on a vulnerable Zyxel device by sending a specially crafted HTTP request (POST or GET). Worse, an attacker may not have a direct connection to the device at all, and for an attack it’s enough to force the victim to visit a malicious site.
Yesterday, February 26, 2020, Zyxel engineers updated security bulletindedicated to the problem. As it turned out, the vulnerability threatens not only the NAS of the company, as previously reported, but also poses a threat to 23 UTM, ATP and VPN firewalls with firmware versions from ZLD V4.35 Patch 0 to ZLD V4.35 Patch 2.
As a result, the list of vulnerable products was added: ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN50, VPN50, , VPN300, VPN1000, ZyWALL110, ZyWALL310 and ZyWALL1100. Patches for them have already been released.
Zyxel engineers have also released patches for four vulnerable NAS: NAS326, NAS520, NAS540, and NAS542. However, ten other NAS companies are also vulnerable to the problem, but are no longer supported, which means patches for them can not be expected. These include NSA210, NSA220, NSA220 +, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. Users of these devices are advised to block access to the web interface (80 / tcp and 443 / tcp) and make sure that the NAS is not connected to the Internet.
Let me remind you that, according to the well-known information security journalist Brian Krebs, the exact instructions for using the vulnerability are already sold on the darknet at a price of $ 20,000. Ransomware operators are already interested in these exploits, in particular, Emotet operators intend to include the exploit in their malware.