Zyxel security advisory for OS command injection vulnerability of firewalls

Zyxel_Emily
Zyxel_Emily Posts: 1,280  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited May 2022 in Security

CVE: CVE-2022-30525

Summary

Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.

What is the vulnerability?

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.


Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgment and commentary

Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination process with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters. 

Revision history

2022-05-12: Initial release

«1

Comments

  • Mario
    Mario Posts: 104  Ally Member
    First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
    why is the CVE-2022-30525 not listet in the release notes?




  • ESupport
    ESupport Posts: 18  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Are older Boxes like the USG 310 or the USG 40/60 also affected by this?
  • e_mano_e
    e_mano_e Posts: 82  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    This vulnerability mainly affects only systems where WAN access to the administrative web interface is enabled, right?
    If WAN access is disabled, there is not much risk to my firewall for now, right?
    I'm just asking to make sure how fast I have to apply the firmware patch.
  • MikeForshock
    MikeForshock Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Mario said:
    why is the CVE-2022-30525 not listet in the release notes?




    This is the main questions, why was it not mentioned?
    https://arstechnica.com/information-technology/2022/05/zyxel-silently-patches-command-injection-vulnerability-with-9-8-severity-rating/
  • dkyeager
    dkyeager Posts: 69  Ally Member
    First Anniversary 10 Comments Friend Collector
    Been a long time since Zyxel has had a stable release from a security perspective.  It would be good to have that for situations like this.  Had to rush testing of 5.30 today because of this.  Not appreciated.

    I like that Zyxel has historically been honest in its release notes, but this seems to be slipping.
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Mario @MikeForshock @dkyeager
    We're sorry for the confusion
    This vulnerability has been fixed aggressively into regular release but we did not disclose it since the official disclosure time has not been aligned with the researcher at that moment. In the meantime, we have updated device what's new with CVE info on the same day, expected users getting real time notice from device directly.

    @ESupport
    USG310, USG40/60 are immune to this vulnerability

    @e_mano_e
    Yes you're right. However, since the hacker may also come from the LAN side, it's strongly recommended to upgrade to 5.30 as soon as possible
  • Ckat1212
    Ckat1212 Posts: 5
    First Anniversary First Comment
    Is the ZyWall 110 affected by this vulnerability? The latest firmware for that is 4.71 so bit confused.
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    @Ckat1212 take your time re-reading the first post. You should easily find an answer.
  • My system Zyxel USG20W-VPN had been in 5.20 and then there was trial-usres admin account added and it updated my firewall to v.5.30. 

    Are you sure that this 5.30 is secure?
  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    AnonymousBusiness,
    You should assume the configuration and username/password already leak for a long time.
    Recommend to change all passwords of all user accounts and don't change to any previous used password.

Security Highlight