Nasty Zyxel remote execution bug is being exploited | ZDNet

By Naomi Gleit On May 16, 2022

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user.

The programming issue was not sanitising input, with two fields passed to a CGI handler being fed into system calls. The impacted models were its VPN and ATP series, and USG 100(W), 200, 500, 700, and Flex 50(W)/USG20(W)-VPN.

At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800.

“Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K),” it tweeted.

The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately.

After Rapid7 reported the vulnerability on April 13, the Taiwanese hardware maker silently released patches on April 28. Rapid7 only realised the release had happened on May 9, and eventually published its blog and Metasploit module alongside the Zyxel notice, and was not happy with the timeline of events.

“This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this,” Rapid7 discoverer of the bug Jake Baines wrote.

“Therefore, we’re releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.”

For its part, Zyxel claimed there was a “miscommunication during the disclosure coordination process” and it “always follows the principles of coordinated disclosure”.

At the end of March, Zyxel published an advisory for another CVSS 9.8 vulnerability in its CGI program that could allow an attacker to bypass authentication and run around the device with administrative access.

Related Coverage

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.