A OS Command Injection Vulnerability in the CGI Program of Zyxel
# Executive Summary
The vulnerability, first discovered on April 13, 2022, caused remote code execution in Zyxel firewall products. This important vulnerability with a CVSS score of 9.8 was blocked with the update released by Zyxel 15 days after it emerged. At least 20.800 models were affected in this process, mostly in Europe.
The vulnerability is due to the "setWanPortSt" command within the zero-touch provisioning applet. Access to the "setWanPortSt" command is via the /ztp/cgi-bin/handler endpoint.
No exploits have been observed since Zyxel brought an update to their model for the vulnerability. The software version of the affected models has been upgraded to v5.30, and it has been emphasized that automatic software update should be active to prevent the vulnerability.
On April 13, 2022, Rapid7 reported a vulnerability that affects Zyxel firewall devices, allowing attackers to inject arbitrary commands remotely as a "nobody" user without authentication. This vulnerability was handled at a critical level and the CVSS score was determined as 9.8. Zyxel then addressed the vulnerability by issuing a security update on April 28, 2022. On May 12, 2022, Rapid7 published an advisory and Metasploit module for this vulnerability.
# Vulnerability with Its Impact
Researchers at ShadowServer have begun to monitor attempts to exploit CVE-2022-30525. At least 20.800 of the affected Zyxel firewall models have been exposed online during the investigations. It was noted that most of the affected models were in France and Italy.
The vulnerability stems from the use of “os.system” with attacker-provided data. The /ztp/cgi-bin/handler endpoint is used to launch the attack. Handler is a Python script that can execute a number of different commands. Jake Baines, who first reported the error, explained the vulnerability in his blog as follows: “Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.”
The problem arises from a command called "setWanPortSt" within the zero touch provisioning implementation, which allows the remote provision to change the IP settings of the firewall's ports.
A PoC has been published to better understand how exploitation is done. Victorian Machinery is a proof of concept exploit for CVE-2022-30525. The vulnerability is an unauthenticated and remote command injection vulnerability affecting Zyxel firewall's that support zero touch provisioning.
<img src="https://raw.githubusercontent.com/furkanzengin/CVE-2022-30525/main/proof-of-concept.JPG" width="auto">
First, the target is exploited using netcat listener and a reverse shell is caught. By default, “nc” is run by giving “nc-path”. In Python, a copy of the main process is created using the “os.fork()” operation. Then, if the process id is 0, a POST request is made to the specified url address. The url contains the protocol, remote address to exploit, remote port and “/ztp/cgi-bin/handler” endpoint, respectively. Thanks to the /ztp/cgi-bin/handler endpoint here, the feature in the “setWanPortSt” command can be accessed, which allows the IP settings of the firewall ports to be changed. When payload is examined, it is seen that the target of the command is port 1270 of the DHCP protocol. In this way, attackers can provide remote code execution as nobody.
# Exploitation Status
The Shadowserver Foundation, the group that investigates the worldwide exploit, did not reveal further information about the observed attempts of exploitation and their characteristics. It has been announced that there has been no abuse attempt since Monday, May 16, 2022, but the investigations continue.
# Mitigation Suggestions
Administrators of affected devices are advised to upgrade the firmware to V5.30 as soon as possible. Jake baines also said to enable automatic firmware updates if possible. Zyxel was criticized for handling the vulnerability silently, but in the statement it was explained that this was due to "miscommunication during the disclosure coordination process." Internal employees have been told that creating a new "HTTP Protocol Signatures" policy by creating a dictionary for manual mitigation can prevent exploitation.
As a result, this vulnerability, which occurred in Zyxel firewall products, affected many models at a critical level. Although the problem was dealt with in a short time, the impact of the exploit was quite large. The fact that no exploits have been found for a long time shows that the updates can close the security vulnerability for now.