Zyxel developers fixed the critical vulnerability CVE-2020-9054 , which affects several NAS models of the company (running firmware 5.21 and earlier) and allows arbitrary code to be executed remotely and without authentication. According to the CSSV vulnerability rating scale, the problem scored 10 points out of 10 possible.
The root of the problem is hidden in the weblogin.cgi file, a bug occurs due to incorrect cleaning of the username parameter. That is, if the username includes certain characters, a vulnerability appears and it can be used to inject commands with web server privileges. After that, an attacker can use the setuid utility to run arbitrary commands with root privileges.
Ultimately, a remote attacker has the ability to execute arbitrary code on a vulnerable Zyxel device by sending a specially crafted HTTP request (POST or GET). Worse, the attacker may not have a direct connection to the device at all, and for the attack to force the victim to visit a malicious site.
An exploit for this problem, sold on clandestine forums, was discovered by well-known IS journalist Brian Krebs and Hold Security experts. It was Krebs who warned about the problem of Zyxel and CERT / CC specialists. The journalist says that ransomware operators are already showing interest in the exploit (the exact instructions for using the vulnerability are sold for $ 20,000), in particular, Emotet operators intend to include the exploit in their malware.
Zyxel engineers released fixes for four vulnerable devices this week: NAS326, NAS520, NAS540, and NAS542.
But ten other NAS companies are also vulnerable to this problem but are no longer supported, that is, patches for them can not be expected. These include NSA210, NSA220, NSA220 +, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. Users of these devices are advised to block access to the web interface (80 / tcp and 443 / tcp) and make sure that the NAS is not connected to the Internet.