Advisory Overview
Several ZyXEL NAS devices are vulnerable to Remote Code Execution (RCE). The vulnerability could potentially allow an attacker to execute remote commands as root. A patch has been released, but many devices are at an end of life stage and do not have an update. SKOUT recommends updating firmware immediately on all supported devices and hardening (or replacing) end of life devices.
Technical detail and additional information
What is the threat?
A Remote Code Execution (RCE) vulnerability exists in the “weblogin.cgi” executable that is used in a wide variety of ZyXEL NAS and firewall products. Specifically, the program fails to properly sanitize the “username” parameter that it is passed. If this parameter contains specific characters, a command injection may be allowed with the privileges that are given to the web server that runs on the vulnerable ZyXEL device.
Why is this noteworthy?
This vulnerability exists in a number of ZyXEL devices (a full list of which is included in the “References” below). This exploit is simple but highly reliable; and while the web server that is exploited does not run as the root user, numerous ZyXEL devices include a “setuid” utility which can run any command with root privileges. Due to the simplicity of the exploit, a malicious actor can readily locate thousands of vulnerable devices with pre-provided links and easily attempt the exploit. Additionally, even without direct connectivity to the vulnerable device a malicious actor can compromise a ZyXEL device. A user simply viewing a website that has been compromised can result in this exploit being performed on any ZyXEL device reachable from the client system.
What is the exposure or risk?
When exploited, this vulnerability allows a malicious actor to execute any number of remote commands or arbitrary code, potentially at root privilege with the “setuid” command. Also of note is recent activity suggesting that ransomware groups have been actively working to fold this exploit into notorious malware “Emotet”, meaning this exploit could be leveraged to propagate ransomware attacks.
What are the recommendations?
ZyXEL has patched the vulnerability in several of the affected devices and recommends downloading these firmware updates available as soon as possible. However, some of the devices affected by the vulnerability have been identified by ZyXEL as end of life and are no longer supported and thus will not have this update available. In either case you can also harden your devices against exploitation with the following security steps:
- Block access to the web interface (80/tcp and 443/tcp) on any vulnerable ZyXEL device.
- Restrict access to vulnerable ZyXEL devices by not exposing them to the internet directly.
Download the hotfix here: https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
| Affected model | Standard availability |
| NAS326 | March 2020. Firmware V5.21(AAZF.7)C0 |
| NAS520 | March 2020. Firmware V5.21(AASZ.3)C0 |
| NAS540 | March 2020. Firmware V5.21(AATB.4)C0 |
| NAS542 | March 2020. Firmware V5.21(ABAG.4)C0 |
| ATP100 | March 2020. Firmware V4.35(ABPS.3)C0 |
| ATP200 | March 2020. Firmware V4.35(ABFW.3)C0 |
| ATP500 | March 2020. Firmware V4.35(ABFU.3)C0 |
| ATP800 | March 2020. Firmware V4.35(ABIQ.3)C0 |
| USG20-VPN | March 2020. Firmware V4.35(ABAQ.3)C0 |
| USG20W-VPN | March 2020. Firmware V4.35(ABAR.3)C0 |
| USG40 | March 2020. Firmware V4.35(AALA.3)C0 |
| USG40W | March 2020. Firmware V4.35(AALB.3)C0 |
| USG60 | March 2020. Firmware V4.35(AAKY.3)C0 |
| USG60W | March 2020. Firmware V4.35(AAKZ.3)C0 |
| USG110 | March 2020. Firmware V4.35(AAPH.3)C0 |
| USG210 | March 2020. Firmware V4.35(AAPI.3)C0 |
| USG310 | March 2020. Firmware V4.35(AAPJ.3)C0 |
| USG1100 | March 2020. Firmware V4.35(AAPK.3)C0 |
| USG1900 | March 2020. Firmware V4.35(AAPL.3)C0 |
| USG2200 | March 2020. Firmware V4.35(ABAE.3)C0 |
| VPN50 | March 2020. Firmware V4.35(ABHL.3)C0 |
| VPN100 | March 2020. Firmware V4.35(ABFV.3)C0 |
| VPN300 | March 2020. Firmware V4.35(ABFC.3)C0 |
| VPN1000 | March 2020. Firmware V4.35(ABIP.3)C0 |
| ZyWALL110 | March 2020. Firmware V4.35(AAAA.3)C0 |
| ZyWALL310 | March 2020. Firmware V4.35(AAAB.3)C0 |
| ZyWALL1100 | March 2020. Firmware V4.35(AAAC.3)C0 |
References:
For more in-depth information about the recommendations, please visit the following links:
- https://krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/
- https://kb.cert.org/vuls/id/498544/
- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
- https://www.checkpoint.com/defense/advisories/public/2020/cpai-2020-0088.html
- https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
If you have any questions, please contact our Security Operations Center.
