CVE-2024-42059
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary
A post-authentication command injection vulnerability exists in multiple Zyxel firewall product lines and firmware versions. This vulnerability affects ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.00 through V5.38, and USG20(W)-VPN series firmware versions V5.00 through V5.38. The vulnerability allows an authenticated attacker with administrator privileges to execute arbitrary OS commands on an affected device by uploading a crafted compressed language file via FTP.
Impact
If exploited, this vulnerability could lead to severe consequences. An attacker with administrator privileges could execute arbitrary OS commands on the affected Zyxel devices. This could result in complete compromise of the device, potentially leading to: 1. Unauthorized access to sensitive information 2. Modification or destruction of data 3. Disruption of network services 4. Use of the compromised device as a pivot point for further attacks on the network The vulnerability has a CVSS v3.1 base score of 7.2 (High), with high impacts on confidentiality, integrity, and availability. This indicates that successful exploitation could significantly affect the organization's data and operations.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. Zyxel has released security updates to address this vulnerability. The patch information was added on September 5, 2024, and can be found on the Zyxel website: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024
Mitigation
To mitigate this vulnerability, the following steps are recommended: 1. Immediately update affected Zyxel devices to the latest firmware versions (V5.39 or later) which contain the security fix. 2. If immediate patching is not possible, implement strict access controls to limit who can access the administrator interface of these devices. 3. Monitor logs for any suspicious FTP activities or file uploads, especially those related to language files. 4. Implement network segmentation to isolate affected devices if they cannot be immediately patched. 5. Regularly review and audit administrator accounts to ensure only necessary personnel have elevated privileges. 6. Consider implementing additional network security measures such as intrusion detection/prevention systems (IDS/IPS) to monitor for potential exploitation attempts.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-42059
Feedly found the first article mentioning CVE-2024-42059. See article
CVE-2024-42059 is a critical post-authentication command injection vulnerability in Zyxel firewalls that could allow an authenticated attacker to execute OS commands. This vulnerability has been acknowledged by security researchers and patches have been released by Zyxel to address it. It is important for organizations to apply the patches promptly to prevent potential exploitation by malicious actors. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.05% (Percentile: 21.1%)
Detection for the vulnerability has been added to Nessus (206736)