CVE-2024-42057
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Published: Sep 3, 2024 / Updated: 2mo ago

010

CVSS 8.1EPSS 0.09%High

CVE info copied to clipboard

Summary

A command injection vulnerability exists in the IPSec VPN feature of several Zyxel device series and firmware versions. This vulnerability affects Zyxel ATP series firmware versions V4.32 through V5.38, USG FLEX series firmware versions V4.50 through V5.38, USG FLEX 50(W) series firmware versions V4.16 through V5.38, and USG20(W)-VPN series firmware versions V4.16 through V5.38. The vulnerability allows an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device.

Impact

If successfully exploited, this vulnerability could allow an attacker to execute operating system commands on the affected device. This could potentially lead to unauthorized access, system manipulation, data theft, or service disruption. The CVSS v3.1 base score of 8.1 (High) indicates severe potential impacts on confidentiality, integrity, and availability of the system. Given that the attack vector is network-based and requires no user interaction, it could be exploited remotely, increasing its potential for widespread impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch. The vulnerability affects specific firmware versions, suggesting that an update to a newer, unaffected firmware version might be the solution when it becomes available. However, no explicit patch information is provided in the given data.

Mitigation

While no specific patch is mentioned, several mitigation steps can be recommended: 1. Ensure that the IPSec VPN feature is not configured in User-Based-PSK authentication mode, as the vulnerability is only exploitable in this configuration. 2. Review and remove any user accounts with usernames exceeding 28 characters, as the vulnerability requires a valid user with a long username to be exploited. 3. Implement network segmentation to limit access to the affected devices from untrusted networks. 4. Monitor for any suspicious activities or unauthorized access attempts to the affected devices. 5. Keep an eye out for firmware updates from Zyxel and apply them as soon as they become available. 6. If possible, consider disabling the IPSec VPN feature until a patch is released, if it's not critical for operations.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-42057

Sep 3, 2024 at 2:15 AM

First Article

Feedly found the first article mentioning CVE-2024-42057. See article

Sep 3, 2024 at 2:16 AM / Zyxel

Threat Intelligence Report

CVE-2024-42057 is a critical command injection vulnerability in the IPSec VPN feature of certain Zyxel firewall versions, allowing unauthenticated attackers to execute OS commands. This vulnerability has been acknowledged by security researchers and patches have been released by Zyxel to address it. It is important for organizations using affected firewall versions to apply the patches immediately to prevent exploitation and potential downstream impacts on their network security. See article

Sep 3, 2024 at 2:16 AM

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 3, 2024 at 2:21 AM

EPSS

EPSS Score was set to: 0.09% (Percentile: 39.1%)

Sep 3, 2024 at 9:38 AM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (206735)

Sep 6, 2024 at 9:18 PM

Attribution of Exploits

The vulnerability is known to be exploited by HellDown. See article