[German]Zyxel's USG/ATP firewalls are also affected by the CVE-2020-9054 vulnerability, as is their NAS. The vendor has released a firmware update to close the vulnerability.
Advertising
Short review
On February 25, 2020, I posted an article Vulnerability CVE-2020-9054 in ZyXEL NAS devices about the vulnerability CVE-2020-9054 in ZyXEL NAS models. A security advisory has been issued on 02/24/2020 from Zyxel for several NAS models.
ZyXEL's network attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow a remote attacker to execute arbitrary code on a vulnerable device without logging in. It was not communicated that this vulnerability also exists in Zyxel USG / ATP firewalls.
Zyxel USG / ATP Firewalls affected of CVE-2020-9054
While Zyxel NAS drives may not be as widely used, Zyxel USG/ATP firewalls may well be in use more often in corporate environments for network protection. German blog reader Mario already pointed out to me by this comment andlater in a direct mail (thanks for that) that Zyxel USG/ATP firewalls are also affected by the vulnerability CVE-2020-9054.
I just noticed by chance that the USG / ATP firewalls are also affected by the problem. Link to Zyxel Security Alert
Might be worth an update, as NAS boxes are rare, but firewalls are used more often.
As of March 6, 2020, Zyxel may have updated this security advisory for its NAS models. The text also states that Zyxel firewall products are affected by the vulnerability that allows remote code execution.
Firmware updates available, urgent patching
The manufacturer offers updates for the firmware versions of the individual Zyxel USG/ATP firewalls and VPN solutions on its website. Users are advised to respond immediately and install available firmware updates (or follow workarounds immediately).
Advertising
After a thorough investigation, Zyxcel has identified the vulnerable products that are within their warranty and support period. The list can be found here. For optimal protection, the firmware patches offered there should be installed as soon as possible.
- Users must register before downloading firmware from myZyxel via an encrypted connection.
- When new firmware versions are available, Zyxel will notify users via push notification directly on their device's management interface and instruct them to download the firmware from the cloud instead of via FTP.
- The firmware has a special anti-modification mechanism, if it is modified in any way, the firmware cannot be installed on the device.
Maybe it helps.
