{"id":13334,"date":"2020-02-25T00:06:00","date_gmt":"2020-02-24T23:06:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13334"},"modified":"2020-02-25T07:22:16","modified_gmt":"2020-02-25T06:22:16","slug":"vulnerability-cve-2020-9054-in-zyxel-nas-devices","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/02\/25\/vulnerability-cve-2020-9054-in-zyxel-nas-devices\/","title":{"rendered":"Vulnerability CVE-2020-9054 in ZyXEL NAS devices"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/25\/schwachstelle-cve-2020-9054-in-zyxel-nas-modellen\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Zyxel has closed a 0-Day vulnerability in its NAS devices through a firmware update. An exploit code for the vulnerability is currently being sold on underground forums for $20,000. <\/p>\n<p><!--more--><\/p>\n<p>I became aware of the security issue through the following tweet from Will Dormann. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Multiple ZyXEL NAS devices are vulnerable to pre-authentication command injection using the web administration interface &#8211; CVE-2020-9054<br \/>Executed commands may leverage built-in capabilities to execute commands with root privileges.<a href=\"https:\/\/t.co\/aaZj3I1czq\">https:\/\/t.co\/aaZj3I1czq<\/a><\/p>\n<p>\u2014 Will Dormann (@wdormann) <a href=\"https:\/\/twitter.com\/wdormann\/status\/1231987991473602561?ref_src=twsrc%5Etfw\">February 24, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserveb72bb22c11884bd9835d81e8283872f2\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>On 02\/24\/2020 <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/498544\/\" target=\"_blank\" rel=\"noopener noreferrer\">this security advisory<\/a> was published for various Zyxel NAS models. Several ZyXEL network attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow a remote attacker to execute arbitrary code on a vulnerable device without logging in.<\/p>\n<p>NAS devices from ZyXEL allow authentication by using the <em>weblogin.cgi<\/em> executable CGI file. However, this CGI program cannot properly handle the username parameter passed to it. If the parameter contains certain characters specified with the user name, it may allow a command injection with the privileges of the Web server running on the ZyXEL device. erm\u00f6glichen. <\/p>\n<p>Although the Web server is not running as a root user, the ZyXEL devices contain a setuid utility that can be used to execute any command with root privileges. Therefore, it is likely that the exploitation of this vulnerability could lead to remote code execution with root privileges.<\/p>\n<p>By sending a specially crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker could potentially execute arbitrary code on the device. This can be done by connecting to a device if the attacker has access to the device. However, there are ways to trigger such primed requests even if an attacker does not have a direct connection to a vulnerable device. For example, simply visiting a Web site can compromise any ZyXEL device that is accessible from the client system.<\/p>\n<p>ZyXEL has provided <a href=\"https:\/\/www.zyxel.com\/support\/remote-code-execution-vulnerability-of-NAS-products.shtml\" target=\"_blank\" rel=\"noopener noreferrer\">firmware updates<\/a> for the NAS326, NAS520, NAS540 and NAS542 devices. Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 cannot install firmware updates because these devices are no longer supported. <\/p>\n<p>Care should be taken when updating the firmware on the affected devices. This is because the ZyXEL firmware upgrade process uses an insecure channel (FTP) to retrieve updates. On the other hand, the firmware files are verified only by a checksum and not by a cryptographic signature. For these reasons, any attacker who has control over DNS or IP routing can cause a malicious firmware to be installed on a ZyXEL device.<\/p>\n<p>Those who cannot patch should <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/498544\/\" target=\"_blank\" rel=\"noopener noreferrer\">use workarounds for protection<\/a>. This problem can be mitigated by blocking (e.g. with a firewall) access to the web interface (80\/tcp and 443\/tcp) of a vulnerable ZyXEL device. Any device that can access the ZyXEL Web Interface should not also be able to access the Internet. <\/p>\n<p>Brian Krebs has published some more information about this case in <a href=\"https:\/\/krebsonsecurity.com\/2020\/02\/zyxel-fixes-0day-in-network-storage-devices\/\" target=\"_blank\" rel=\"noopener noreferrer\">this arti<\/a>cle. For example, he reported to Zyxel that a 0-day exploit was in circulation and sold for 20,000 US $. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Networking hardware vendor Zyxel has patched a zero-day bug in its NAS devices. The patch comes 12 days after KrebsOnSecurity told the company exploit code for the flaw was being sold for $20k. Ransomware gangs are now reportedly adding it to their arsenal <a href=\"https:\/\/t.co\/v60s7kCm18\">https:\/\/t.co\/v60s7kCm18<\/a> <a href=\"https:\/\/t.co\/YDLUYX5Mig\">pic.twitter.com\/YDLUYX5Mig<\/a><\/p>\n<p>\u2014 briankrebs (@briankrebs) <a href=\"https:\/\/twitter.com\/briankrebs\/status\/1231991950150193153?ref_src=twsrc%5Etfw\">February 24, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve1bfcaca3ae40411d922252f8fc2eea9e\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Zyxel has closed a 0-Day vulnerability in its NAS devices through a firmware update. An exploit code for the vulnerability is currently being sold on underground forums for $20,000.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580],"tags":[701,950,69],"class_list":["post-13334","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","tag-device","tag-nas","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13334"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13334\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}