Zyxel security advisory for command injection vulnerability of firewalls
Zyxel security advisory for command injection vulnerability of firewalls
CVE: CVE-2020-29299
Summary
Zyxel has released updates for a command injection vulnerability recently reported by Chaitin Security Research Lab. Users are advised to install the updates for optimal protection.
What is the vulnerability?
A command injection vulnerability was identified in the “chg_exp_pwd” CGI program on some Zyxel security firewalls. The lack of input string sanitization in the CGI program could allow an attacker to inject commands if they successfully log in as the admin and attempt to change the password using the vulnerable CGI.
What products are vulnerable—and what should you do?
After a thorough investigation of our product lines, we’ve identified the vulnerable products that are within their warranty and support period and released patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates.
*Please reach out to your local Zyxel support team for the file.
**Firmware update available on Nebula Control Center (NCC) at https://nebula.zyxel.com/.
Contact your local Zyxel support team if you require further assistance.
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.
Acknowledgment
Thanks to swing & leommxj of Chaitin Security Research Lab for reporting the issues to us.
Revision history
2020-11-23: Initial release
2020-12-28: Add the CVE number
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight