ExploitCVE-2020-9054
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability. The weblogin.cgi CGI executable fails to properly sanitize the username parameter, allowing command injection with the privileges of the web server. Although the web server doesn't run as root, a setuid utility can be leveraged to run any command with root privileges. This vulnerability affects several ZyXEL NAS models including NAS326, NAS520, NAS540, and NAS542 before specific firmware versions, as well as end-of-support models like NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.
Impact
The vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device with root privileges. This can be achieved by sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device. The attack can be carried out by directly connecting to an exposed device or even indirectly - for example, simply visiting a malicious website could result in the compromise of any reachable ZyXEL device from the client system. The severity is extremely high, with a CVSS v3.1 base score of 9.8 out of 10, indicating critical severity. This score reflects the ease of exploitation (network vector, low complexity, no privileges required, no user interaction) and the complete compromise of confidentiality, integrity, and availability that can result from a successful attack.
Exploitation
Multiple proof-of-concept exploits are available on krebsonsecurity.com, github.com. There is no evidence of proof of exploitation at the moment.
Patch
ZyXEL has released firmware updates to address this vulnerability for the following models: - NAS326: Update to firmware V5.21(AAZF.7)C0 or later - NAS520: Update to firmware V5.21(AASZ.3)C0 or later - NAS540: Update to firmware V5.21(AATB.4)C0 or later - NAS542: Update to firmware V5.21(ABAG.4)C0 or later However, several affected models (NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2) are end-of-support and do not have patches available.
Mitigation
1. Immediately apply the available firmware updates for supported models (NAS326, NAS520, NAS540, NAS542). 2. For end-of-support models without available patches, consider replacing the devices with supported, patched alternatives. 3. If immediate patching or replacement is not possible, implement network segmentation to isolate vulnerable devices from untrusted networks. 4. Monitor for suspicious activities or unauthorized access attempts on affected devices. 5. Ensure that ZyXEL NAS devices are not directly exposed to the internet. Use a VPN or other secure remote access method if remote access is required. 6. Regularly check for and apply security updates for all network devices, especially those providing critical services like network-attached storage.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2020-9054. See article
Attacks in the wild have been reported by CISA Known Exploited Vulnerability.
EPSS Score was set to: 97.14% (Percentile: 99.7%)
The vulnerability CVE-2020-9054 is a critical zero-day vulnerability affecting ZyXEL Communications Corp. It has been exploited in the wild by the Emotet ransomware group, with no proof-of-concept exploits available. There are currently no known mitigations, detections, or patches available, and it may have downstream impacts on other third-party vendors or technology. See article
Detection for the vulnerability has been added to Qualys (731233)