[BreachExchange] Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now

[Destry Winant]

https://www.theregister.co.uk/2020/02/26/zyxel_security_hole/

It's 2020 and pre-auth, superuser command injection is still a thing

Zyxel's network storage boxes, business VPN gateways, firewalls, and,
er, security scanners can be remotely hijacked by any miscreant, due
to a devastating security hole in the firmware.

The devices' weblogin.cgi program fails to sanitize user input,
allowing anyone who can reach one of these vulnerable machines, over
the network or across the internet, can silently inject and execute
arbitrary commands as a root superuser with no authentication
required. That would be a total compromise. It's a 10 out of 10 in
terms of severity.

As its name suggests, weblogin.cgi is part of the built-in web-based
user interface provided by the firmware, and the commands can be
injected via GET or POST HTTP requests.

If a miscreant can't directly connect to a vulnerable Zyxel device,
"there are ways to trigger such crafted requests even if an attacker
does not have direct connectivity to a vulnerable device," noted
Carnegie Mellon's CERT Coordination Center in its advisory on the
matter.

"For example, simply visiting a website can result in the compromise
of any Zyxel device that is reachable from the client system."

Here's the affected equipment, which will need patching:

Network-connected storage devices: NAS326, NAS520, NAS540, NAS542
"Advanced" security firewalls: ATP100, ATP200, ATP500, ATP800
Security firewalls and gateways: USG20-VPN, USG20W-VPN, USG40, USG40W,
USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200,
VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100

Fixes can be fetched and installed from Zyxel's website. Meanwhile,
the NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S,
NSA325 and NSA325v2 models are no longer supported, and thus no
patches are available, but are still vulnerable. The security bug
(CVE-2020-9054) is trivial to exploit, unfortunately.

"Command injection within a login page is about as bad as it gets and
the lack of any cross-site request forgery token makes this
vulnerability particularly dangerous," Craig Young, a researcher with
security house Tripwire, told The Register earlier today. "JavaScript
running in the browser is enough to identify and exploit vulnerable
devices on the network."

Speaking of bad, exploit code is already on sale for $20,000 in
underground forums, and the patched firmware is delivered via
unencryped FTP, which can be meddled with by network eavesdroppers.

"Be cautious when updating firmware on affected devices, as the Zyxel
firmware upgrade process both uses an insecure channel (FTP) for
retrieving updates, and the firmware files are only verified by
checksum rather than cryptographic signature," CERT-CC warned.

"For these reasons, any attacker that has control of DNS or IP routing
may be able to cause a malicious firmware to be installed on a Zyxel
device."

If you can't patch your Zyxel device, bin it – especially if it's
facing the internet. ®