Zyxel has fixed critical firewall vulnerabilities that could have allowed threat actors to gain full access to devices and the internal corporate networks they are designed to protect.
The company pushed out the security updates in a silent update two weeks ago but more details emerged recently.
Security researchers at Rapid7 found the flaw, which is now tracked as CVE-2022-30525 (CVSS v3 score: 9.8 – critical), and disclosed it to Zyxel on April 13, 2022.
The flaw is an unauthenticated remote command injection via the HTTP interface, affecting Zyxel firewalls supporting Zero Touch Provisioning (ZTP). The impacted firmware versions are ZLD5.00 to ZLD5.21 Patch 1.
CVE-2022-30525 impacts the following models:
- USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
- USG20-VPN and USG20W-VPN using firmware 5.21 and below
- ATP 100, 200, 500, 700, 800 using firmware 5.21 and below
These products are typically used in small branches and corporate headquarters for VPN, SSL inspection, intrusion protection, email security, and web filtering.
“Commands are executed as the “nobody” user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py,” explains the Rapid 7 report.
“The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.”
Zyxel confirmed the report and the validity of the flaw and promised to release the fixing security updates in June 2022, yet they released a patch on April 28, 2022, without supplying a security advisory, technical details, or mitigation guidance to its customers.
Likely exploited soon
Today, Rapid 7 published its disclosure report along with the corresponding Metasploit module that exploits the CVE-2022-30525 by injecting commands in the MTU field.
The researcher who discovered the flaw and developed a working exploit for testing, Jake Baines, has also published the following demonstration video.
The typical consequences of such an attack would be file modification and OS command execution, allowing threat actors to gain initial access to a network and spread laterally through a network.
“The Zxyel firewalls affected by CVE-2022-30525 are what we typically refer to as “network pivot.” Exploitation of CVE-2022-30525 will likely allow an attacker to establish a foothold in the victim’s internal network,” Rapid7 told BleepingComputer.
“From that foothold, the attacker can attack (or pivot to) internal systems that otherwise would not be exposed to the internet.”
“A real-world example of this sort of attack would be Phineas Fisher’s attack on Hacking Team, in which Fisher exploited an internet-facing firewall/VPN.”
“Once Fisher had full access to the firewall/VPN, they were able to move laterally to internal systems (e.g. MongoDB databases, NAS storage, Exchange servers). ”
As the technical details of the vulnerability have been released and it is now supported by Metasploit, all admins should update their devices immediately before threat actors begin to actively exploit the flaw.
Rapid 7 reports that at the time of discovery, there were at least 16,213 vulnerable systems exposed to the internet, making this vulnerability an attractive target for threat actors.
If updating to the latest available version is impossible, you are advised to at least disable WAN access to the administrative web interface of the affected products.
Bleeping Computer noticed that Zyxel published a security advisory for CVE-2022-30525 during the preparation of this story, attributing the lack of coordination with Rapid7 to miscommunication.