Nasty Zyxel remote execution bug is being exploited

gettyimages 1076658510

Late last week, Rapid7 revealed a nasty bug in Zyxel firewalls that could allow an unauthenticated remote attacker to execute code as a nobody user.

The programming problem wasn’t input sanitization, two fields passed to a CGI handler being fed into the system calls. The affected models were its VPN and ATP series, and USG 100(W), 200, 500, 700 and Flex 50(W)/USG20(W)-VPN.

READ MORE:  U. of Wyoming President Edward Seidel to Give Keynote Address at RMACC Symposium

At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation increased that number to over 20,800.

“The most popular are USG20-VPN (IP 10K) and USG20W-VPN (IP 5.7K). Most of the models affected by CVE-2022-30525 are in the EU – France (4.5K) and Italy (4.4K ).” tweeted.

The Foundation also said it saw the exploit start on May 13 and urged users to fix it immediately.

READ MORE:  Lubrizol and Park Place Technologies Partner to Expand Collaboration With Intel® by Providing World-class Service, Maintenance and Monitoring for State-of-the-art Immersion Cooling Systems in Data Centers

After Rapid7 reported the vulnerability on April 13, the Taiwanese hardware maker silently released patches on April 28. chronology of events.

“This release of the patch is equivalent to disclosing details of vulnerabilities, as attackers and researchers can easily reverse the patch to learn precise exploit details, while defenders rarely bother to do so,” wrote the Rapid7 discoverer of the bug, Jake Baines.

“Therefore, we are releasing this disclosure early to help defenders detect the exploit and help them decide when to apply this patch in their own environments, based on their own risk tolerances. In other words, silent patching of vulnerabilities tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.”

READ MORE:  Hope India can help in negotiations to end Ukraine conflict: Finland minister | Latest News India

For its part, Zyxel claimed that there was “miscommunication during the coordinated disclosure process” and that it “always follows the principles of coordinated disclosure.”

At the end of March, Zyxel published an advisory for another CVSS 9.8 vulnerability in its CGI program that could allow an attacker to bypass authentication and bypass the device with administrative access.

Related coverage

Source link

Leave a Comment