Safety researchers found a severe vulnerability within the Zyxel Firewall, permitting for native privilege escalation. Nevertheless, a distant attacker might additionally exploit the flaw, including to the severity of the difficulty. Fortunately, Zyxel patched the vulnerability following the report, avoiding any malicious exploitation.
Zyxel Firewall Vulnerability
Elaborating their findings in a latest post, Rapid7 researchers talked about how they discovered an area privilege escalation vulnerability affecting the Zyxel firewall. In keeping with the researchers, the merchandise affected by this vulnerability embrace,
- USG FLEX 100, 100W, 200, 500, 700
- USG20-VPN, USG20W-VPN
- ATP 100, 200, 500, 700, 800
- VPN 50, 100, 300, 1000
These firewalls usually goal at serving company prospects, providing electronic mail safety, internet filtering, SSL inspection, intrusion safety, and VPN.
Particularly, the vulnerability for allowed a low-privileged authenticated consumer to realize root entry on course units. Triggering the vulnerability includes exploiting the zysudo.suid binary, which permits a low-privileged consumer to execute completely different permitted (allow-list) instructions. The researchers seen that many of those instructions permit command injection and arbitrary file-write to the customers. However one such file root: /var/zyxel/crontab was of major concern because it allowed an attacker to realize root entry.
Describing the PoC exploit, the researchers acknowledged,
The attacker copies the energetic
crontabto/tmp/. Then they useechoto create a brand new script known as/tmp/exec_me. The brand new script, when executed, will begin a reverse shell to 10.0.0.28:1270. Execution of the brand new script is appended to/tmp/crontab. Then/var/zyxel/crontabis overwritten with the malicious/tmp/crontabutilizingzysudo.suid.cronwill execute the appended command asrootthroughout the subsequent 60 seconds.
Whereas the vulnerability apparently facilitates native customers, the researchers defined {that a} distant attacker might additionally exploit the flaw. Doing so merely required the attacker to take advantage of one other associated flaw, just like the CVE-2022-30525.
Patch Deployed
Following this discovery, the researchers reached out to Zyxel officers. In response, the distributors patched the vulnerability throughout a number of merchandise.
As elaborated in Zyxel’s advisory, the distributors patched this vulnerability along with one other flaw CVE-2022-2030. The advisory additionally lists the small print concerning the patched firmware variations that customers can check with replace their units accordingly.
Tell us your ideas within the feedback.