High
VU#498544 ZyXEL pre-authentication command injection in weblogin.cgi
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(1 user assessed)
Low
(1 user assessed)Unknown
Unknown
Unknown
VU#498544 ZyXEL pre-authentication command injection in weblogin.cgi
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
” Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.
Exploit code for this vulnerability that targets NAS devices is available on the internet. “
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
” Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.
Exploit code for this vulnerability that targets NAS devices is available on the internet. “
Exploits are available. What interests me is this shodan.io search posted with 138,000+ devices still vulnerable. A firmware update has been released for most versions of device however, ” Block access to the ZyXEL device web interface “ is the advice for remaining or an alternative.
Here is the shodan search I put in as a reference for the topic as well. Again, you’re expert opinion is much more valuable than mine at this early stage. I am unfortunately unable to test these in my lab environment due to other commitments.
edit: I might be mistaken CVE-2020-9054 is listed as the exploit here: https://kb.cert.org/artifacts/cve-2020-9054.html
https://beta.shodan.io/search?query=ssl.cert.subject.CN%3Ausg
https://www.nist.gov/fusion-search?s=CVE-2020-9054
https://twitter.com/wdormann/status/1231987991473602561
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
