CVE-2020-9054 - Vulnerability in Zyxel Network Attached Storage (NAS) Devices

Description

FortiGuard Labs is aware of a newly disclosed vulnerability in Zyxel network attached storage (NAS) devices in an advisory published today by CERT/CC. Multiple Zyxel devices contain a pre authentication command injection vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on the device. The vulnerability was reported by security journalist Brian Krebs (Krebs on Security) who learned about the flaw from a researcher who had obtained the exploit code from a reseller on the underground forums. This vulnerability has been assigned CVE-2020-9054.

What are the details of this vulnerability exactly?

The vulnerability is in (weblogin.cgi), which is a cgi script used by Zyxel NAS devices to perform authentication. The script fails to properly sanitize the username parameter. if the parameter contains a specific subset of characters it can allow for command injection with elevated privileges on the webserver. Although the webserver does not run at root; Zyxel devices contain a setuid utility that can be leveraged to run commands with root privileges. Remote code execution via OS command injection can occur due to the program missing authentication. By sending a specially crafted HTTP POST or GET request, an attacker can leverage this technique to perform unauthenticated arbitrary code execution on the device.

What is the severity of this vulnerability?

Due to an attacker who can perform code execution with root privileges without authentication, this vulnerability is deemed HIGH. CERT/CC has assigned this vulnerability a CVSS base score of 10.

What products are affected?

Zyxel products only, specifically model numbers NAS326/NAS520/NAS540/NAS542. Others not on this list are no longer supported.

Is proof of concept code publicly available?

According to CERT/CC exploit code is publicly available. CERT/CC has also created a POC for companies to investigate signature feasibility.

Is there a vendor patch or firmware update available?

Yes. Zyxel has published descriptions of devices affected along with firmware updates available and they are:

Models Firmware versions available

NAS326 March 2020. Firmware V5.21(AAZF.7)C0

NAS520 March 2020. Firmware V5.21(AASZ.3)C0

NAS540 March 2020. Firmware V5.21(AATB.4)C0

NAS542 March 2020. Firmware V5.21(ABAG.4)C0

According to the vendor page - products not listed here or products that have reached end of life are no longer supported.

Any other recommendations and/or suggested mitigation?

For products that are no longer supported it is suggested that devices affected by CVE-2020-9054 are not internet facing and or placed behind a firewall to prevent unauthenticated access. Also, FortiGuard labs recommends that system administrators perform an audit of their network to ensure that machines affected by this vulnerability and any other services that were not meant to be exposed externally, be firewalled as soon as time permits and that authentication be enabled to ensure additional mitigation from external access.

What is the status of AV/IPS coverage?

Customers running the latest definitions (15.784) are protected by the following IPS signature:

ZyXEL.NAS.Pre-authentication.OS.Command.Injection

AV was deemed not feasible at this time.

MITRE ATT&CK

ID: T1068

Tactic: Privilege Escalation

Platform: Linux, macOS, Windows

System Requirements: In the case of privilege escalation, the adversary likely already has user permissions on the target system.

Permissions Required: User

Effective Permissions: User

Data Sources: Windows Error Reporting, Process monitoring, Application logs

Version: 1.1

Appendix

References:

https://www.kb.cert.org/vuls/id/498544/

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml