====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN092
_____________________________________________________________________

DATE                : 25/02/2020

HARDWARE PLATFORM(S): ZyXEL NAS.

OPERATING SYSTEM(S): Zyxel NAS products running firmware version 5.21
                                     and earlier.

=====================================================================
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
https://kb.cert.org/vuls/id/498544/
________________________________________________________________________

Zyxel security advisory for the remote code execution vulnerability of
NAS products


CVE: CVE-2020-9054


Summary

Zyxel NAS (Network Attached Storage) products are affected by a remote
code execution vulnerability. Users are advised to install the hotfixes
or follow the workaround immediately for optimal protection.


What is the vulnerability?

A remote code execution vulnerability was identified in the weblogin.cgi
program of Zyxel NAS products running firmware version 5.21 and earlier.
Missing authentication for the program could allow attackers to perform
remote code execution via OS command injection.


What products are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products
that are within their warranty and support period, as shown in the table
below. For optimal protection, we urge users to install the hotfixes
first and the firmware patches when available..

Affected model 	Hotfix availability 	Standard availability

NAS326 		March 2020. Firmware V5.21(AAZF.7)C0
NAS520 		March 2020. Firmware V5.21(AASZ.3)C0
NAS540 		March 2020. Firmware V5.21(AATB.4)C0
NAS542 		March 2020. Firmware V5.21(ABAG.4)C0

For affected products that reached end-of-support in 2016 or earlier,
firmware updates are no longer provided. We strongly recommend that
users follow the workaround procedure, as detailed below, to remediate
the vulnerability.


Affected models that are end-of-support 	Workaround

NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S,
NSA325 and NSA325v2 	

Do not leave the product directly exposed to the internet. If possible,
connect it to a security router or firewall for additional protection.


Got a question or a tipoff?

Please contact your local service rep for further information or
assistance. If you’ve found a vulnerability, we want to work with you to
fix it—contact security@zyxel.com.tw and we’ll get right back to you.


Acknowledgment

Thanks to Brian Krebs, an independent investigative journalist, for
reporting the issue to us and CERT/CC for coordinating the disclosure
process.


Revision history

Initial release 2020-02-24

_____________________________________________________________________


ZyXEL NAS pre-authentication command injection in weblogin.cgi
Vulnerability Note VU#498544

Original Release Date: 2020-02-24 | Last Revised: 2020-02-24


Overview

Multiple ZyXEL network-attached storage (NAS) devices contain a
pre-authentication command injection vulnerability, which may allow
a remote, unauthenticated attacker to execute arbitrary code on a
vulnerable device.



Description

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI
executable. This program fails to properly sanitize the username
parameter that is passed to it. If the username parameter contains
certain characters, it can allow command injection with the privileges
of the web server that runs on the ZyXEL device. Although the web server
does not run as the root user, ZyXEL devices include a setuid utility
that can be leveraged to run any command with root privileges. As such,
it should be assumed that exploitation of this vulnerability can lead to
remote code execution with root privileges.

Exploit code for this vulnerability is available on the internet. For
this reason, we have created a PoC exploit that has the ability to power
down affected ZyXEL devices.



Impact

By sending a specially-crafted HTTP POST or GET request to a vulnerable
ZyXEL device, a remote, unauthenticated attacker may be able to execute
arbitrary code on the device. This may happen by directly connecting to
a device if it is directly exposed to an attacker. However, there are
ways to trigger such crafted requests even if an attacker does not have
direct connectivity to a vulnerable devices. For example, simply
visiting a website can result in the compromise of any ZyXEL device that
is reachable from the client system.



Solution

Apply an update

ZyXEL has made firmware updates available for NAS326, NAS520, NAS540,
and NAS542 devices. Owners of NSA210, NSA220, NSA220+, NSA221, NSA310,
NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 will not be able to
install firmware updates, as these devices are no longer supported. Be
cautious when updating firmware on affected devices, as the ZyXEL
firmware upgrade process both uses an insecure channel (FTP) for
retrieving updates, and the firmware files are only verified by checksum
rather than cryptographic signature. For these reasons, any attacker
that has control of DNS or IP routing may be able to cause a malicious
firmware to be installed on a ZyXEL device.


Please also consider the following workarounds:

Block access to the ZyXEL device web interface


This issue can be mitigated by blocking (for example with a firewall)
access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL
device. Any machine that can access the ZyXEL web interface should not
also be able to access the internet.


Restrict access to vulnerable ZyXEL devices

Direct exploitation of this vulnerability can be mitigated by
restricting access to vulnerable devices. In particular, do not expose
such devices directly to the internet. Note however, that it is still
possible for attackers to exploit devices that are not directly
connected to the internet. For example, by way of viewing a web page.



Vendor Information

Zyxel

Notified:  February 15, 2020 Updated:  February 24, 2020


Status

  Affected


Vendor Statement

No statement is currently available from the vendor regarding this
vulnerability.


Vendor Information

We are not aware of further vendor information regarding this
vulnerability.


Vendor References


https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml


CVSS Metrics
Group           Score    Vector
Base            10       AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal        9.5      E:F/RL:U/RC:C
Environmental   7.1      CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



References


https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
    https://cwe.mitre.org/data/definitions/78.html



Acknowledgements

Thanks to Brian Krebs for notifying us of the exploit availability,
which was uncovered by Alex Holden of Hold Security.

This document was written by Will Dormann.


Other Information

CVE IDs:                CVE-2020-9054
Date Public:            2020-02-12
Date First Published:   2020-02-24
Date Last Updated:      2020-02-24 17:31 UTC
Document Revision:      31



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================