Zyxel security advisory for insecure folder permissions of ZON Utility

Zyxel_Jonas
Zyxel_Jonas Posts: 313  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
Zyxel security advisory for insecure folder permissions of ZON Utility

CVE: CVE-2020-27667

Summary
Zyxel has released a patch for the incorrect folder permission vulnerability of Zyxel One Network (ZON) Utility recently reported by researchers from ECSC Group UK. Users are advised to install the latest software version for optimal protection.

What is the vulnerability?

The permission of an installation folder in ZON Utility was misconfigured to give incorrect default permissions for the group “Everyone”, which could be used for privilege escalation on an installed computer. However, the vulnerability is more likely to affect shared computers on which multiple accounts exist, while ZON Utility is mostly used on personal computers by IT staff and individuals.


What versions are vulnerable—and what should you do?

After a thorough investigation, we confirmed that the vulnerability affects only ZON Utility versions V2.1.4 and earlier, and we have released a patch in ZON Utility version V2.1.5 to address the issue. Note that the vulnerability does not impact devices configured using ZON Utility. For optimal protection, we urge users to install the applicable updates.

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw, and we’ll get right back to you.

Acknowledgment

Thanks to Richard Davy and Neil Graham of ECSC Group UK for reporting the issue to us.

Revision history

2021-1-11: Initial release

Jonas,