ID

VAR-202003-1707


CVE

CVE-2020-9054


TITLE

ZyXEL pre-authentication command injection in weblogin.cgi

Trust: 0.8

sources: CERT/CC: VU#498544

DESCRIPTION

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. plural ZyXEL Included in the product weblogin.cgi Is vulnerable to the execution of arbitrary commands. OS Command injection (CWE-78) - CVE-2020-9054 ZyXEL In multiple products offered by CGI Executable file weblogin.cgi Authentication is done using. About this vulnerability ZyXEL Made NAS Exploit codes for products are available on the Internet. Zyxel Technology is a provider of network broadband systems and solutions for internationally renowned brands. main Products include DSL central office and terminal equipment, router equipment, network security equipment, wireless local area communication equipment, It also provides full-range broadband network application integration solutions for Chinese enterprises, such as network telephones and Ethernet switches. Multiple ZyXEL network-attached storage (NAS) devices have security holes

Trust: 2.97

sources: NVD: CVE-2020-9054 // CERT/CC: VU#498544 // JVNDB: JVNDB-2020-001758 // CNVD: CNVD-2020-15993 // VULMON: CVE-2020-9054

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-15993

AFFECTED PRODUCTS

vendor:zyxelmodel:usg110scope:ltversion:4.35\(aaph.3\)c0

Trust: 1.0

vendor:zyxelmodel:vpn1000scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:zywall1100scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:nas542scope:ltversion:5.21\(abag.4\)c0

Trust: 1.0

vendor:zyxelmodel:usg2200scope:ltversion:4.35\(abae.3\)c0

Trust: 1.0

vendor:zyxelmodel:atp100scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:nas520scope:ltversion:5.21\(aasz.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg1100scope:ltversion:4.35\(aapk.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg1100scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg20w-vpnscope:ltversion:4.35\(abar.3\)c0

Trust: 1.0

vendor:zyxelmodel:zywall1100scope:ltversion:4.35\(aaac.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg20w-vpnscope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:vpn300scope:ltversion:4.35\(abfc.3\)c0

Trust: 1.0

vendor:zyxelmodel:atp800scope:ltversion:4.35\(abiq.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg40scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:atp100scope:ltversion:4.35\(abps.3\)c0

Trust: 1.0

vendor:zyxelmodel:vpn50scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:atp500scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:vpn1000scope:ltversion:4.35\(abip.3\)c0

Trust: 1.0

vendor:zyxelmodel:nas540scope:ltversion:5.21\(aatb.4\)c0

Trust: 1.0

vendor:zyxelmodel:vpn100scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg20-vpnscope:ltversion:4.35\(abaq.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg40wscope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg1900scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg210scope:ltversion:4.35\(aapi.3\)c0

Trust: 1.0

vendor:zyxelmodel:zywall110scope:ltversion:4.35\(aaaa.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg60scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:zywall310scope:ltversion:4.35\(aaab.3\)c0

Trust: 1.0

vendor:zyxelmodel:vpn300scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:atp800scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:zywall110scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg40wscope:ltversion:4.35\(aalb.3\)c0

Trust: 1.0

vendor:zyxelmodel:atp500scope:ltversion:4.35\(abfu.3\)c0

Trust: 1.0

vendor:zyxelmodel:nas326scope:ltversion:5.21\(aazf.7\)c0

Trust: 1.0

vendor:zyxelmodel:usg310scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg20-vpnscope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg210scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg60wscope:ltversion:4.35\(aakz.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg2200scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg110scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg60wscope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:usg1900scope:ltversion:4.35\(aapl.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg60scope:ltversion:4.35\(aaky.3\)c0

Trust: 1.0

vendor:zyxelmodel:vpn100scope:ltversion:4.35\(abfv.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg40scope:ltversion:4.35\(aala.3\)c0

Trust: 1.0

vendor:zyxelmodel:atp200scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel:atp200scope:ltversion:4.35\(abfw.3\)c0

Trust: 1.0

vendor:zyxelmodel:usg310scope:ltversion:4.35\(aapj.3\)c0

Trust: 1.0

vendor:zyxelmodel:vpn50scope:ltversion:4.35\(abhl.3\)c0

Trust: 1.0

vendor:zyxelmodel:zywall310scope:gteversion:4.35

Trust: 1.0

vendor:zyxelmodel: - scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp100scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp200scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp500scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp800scope: - version: -

Trust: 0.8

vendor:zyxelmodel:nas 326scope: - version: -

Trust: 0.8

vendor:zyxelmodel:nas 520scope: - version: -

Trust: 0.8

vendor:zyxelmodel:nas 540scope: - version: -

Trust: 0.8

vendor:zyxelmodel:nas 542scope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg20-vpnscope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg20w-vpnscope: - version: -

Trust: 0.8

vendor:zyxelmodel:nas326 <v5.21 c0scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nas520 <v5.21 c0scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nas540 <v5.21 c0scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nas542 <v5.21 c0scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa210scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa220scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa220+scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa221scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa310scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa310sscope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa320scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa320sscope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa325scope: - version: -

Trust: 0.6

vendor:zyxelmodel:nsa325v2scope: - version: -

Trust: 0.6

sources: CERT/CC: VU#498544 // CNVD: CNVD-2020-15993 // JVNDB: JVNDB-2020-001758 // NVD: CVE-2020-9054

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9054
value: CRITICAL

Trust: 1.0

NVD: CVE-2020-9054
value: HIGH

Trust: 0.8

JPCERT/CC: JVNDB-2020-001758
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-15993
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202002-1216
value: CRITICAL

Trust: 0.6

VULMON: CVE-2020-9054
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-9054
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: CVE-2020-9054
severity: HIGH
baseScore: 10.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

JPCERT/CC: JVNDB-2020-001758
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-15993
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-9054
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

JPCERT/CC: JVNDB-2020-001758
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CERT/CC: VU#498544 // CNVD: CNVD-2020-15993 // VULMON: CVE-2020-9054 // JVNDB: JVNDB-2020-001758 // CNNVD: CNNVD-202002-1216 // NVD: CVE-2020-9054

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

sources: NVD: CVE-2020-9054

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1216

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-1216

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-001758

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#498544

PATCH

title:Zyxel security advisory for the remote code execution vulnerability of NAS productsurl:https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

Trust: 0.8

title:Patch for Multiple ZyXEL Network Attached Storage (NAS) Device Pre-Verification Command Injection Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/207745

Trust: 0.6

title:Multiple ZyXEL Product operating system command injection vulnerability fixesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=110815

Trust: 0.6

title:exploiturl:https://github.com/Notionned101/exploit

Trust: 0.1

title:kenzer-templatesurl:https://github.com/Elsfa7-110/kenzer-templates

Trust: 0.1

title:kenzer-templatesurl:https://github.com/ARPSyndicate/kenzer-templates

Trust: 0.1

title:Threatposturl:https://threatpost.com/top-microsoft-adobe-exploits-list/166241/

Trust: 0.1

title:Threatposturl:https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/

Trust: 0.1

title:Threatposturl:https://threatpost.com/flaws-zyxels-network-management-software/153554/

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2020/02/26/zyxel_security_hole/

Trust: 0.1

sources: CNVD: CNVD-2020-15993 // VULMON: CVE-2020-9054 // JVNDB: JVNDB-2020-001758 // CNNVD: CNNVD-202002-1216

EXTERNAL IDS

db:CERT/CCid:VU#498544

Trust: 3.3

db:NVDid:CVE-2020-9054

Trust: 3.1

db:JVNid:JVNVU97748968

Trust: 0.8

db:JVNDBid:JVNDB-2020-001758

Trust: 0.8

db:CNVDid:CNVD-2020-15993

Trust: 0.6

db:CNNVDid:CNNVD-202002-1216

Trust: 0.6

db:VULMONid:CVE-2020-9054

Trust: 0.1

sources: CERT/CC: VU#498544 // CNVD: CNVD-2020-15993 // VULMON: CVE-2020-9054 // JVNDB: JVNDB-2020-001758 // CNNVD: CNNVD-202002-1216 // NVD: CVE-2020-9054

REFERENCES

url:https://www.zyxel.com/support/remote-code-execution-vulnerability-of-nas-products.shtml

Trust: 3.3

url:https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/

Trust: 3.3

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 2.6

url:https://kb.cert.org/vuls/id/498544/

Trust: 1.7

url:https://kb.cert.org/artifacts/cve-2020-9054.html

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-9054

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9054

Trust: 0.8

url:http://jvn.jp/cert/jvnvu97748968

Trust: 0.8

url:https://www.kb.cert.org/vuls/id/498544/

Trust: 0.8

url:https://www.kb.cert.org/vuls/id/498544

Trust: 0.7

url:https://securityaffairs.co/wordpress/98461/hacking/zyxel-critical-rce.html

Trust: 0.6

url:https://github.com/notionned101/exploit

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CERT/CC: VU#498544 // CNVD: CNVD-2020-15993 // VULMON: CVE-2020-9054 // JVNDB: JVNDB-2020-001758 // CNNVD: CNNVD-202002-1216 // NVD: CVE-2020-9054

SOURCES

db:CERT/CCid:VU#498544
db:CNVDid:CNVD-2020-15993
db:VULMONid:CVE-2020-9054
db:JVNDBid:JVNDB-2020-001758
db:CNNVDid:CNNVD-202002-1216
db:NVDid:CVE-2020-9054

LAST UPDATE DATE

2024-11-23T22:33:33.193000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#498544date:2020-02-26T00:00:00
db:CNVDid:CNVD-2020-15993date:2020-03-08T00:00:00
db:VULMONid:CVE-2020-9054date:2020-03-06T00:00:00
db:JVNDBid:JVNDB-2020-001758date:2020-04-21T00:00:00
db:CNNVDid:CNNVD-202002-1216date:2023-05-19T00:00:00
db:NVDid:CVE-2020-9054date:2024-11-21T05:39:54.583

SOURCES RELEASE DATE

db:CERT/CCid:VU#498544date:2020-02-24T00:00:00
db:CNVDid:CNVD-2020-15993date:2020-03-08T00:00:00
db:VULMONid:CVE-2020-9054date:2020-03-04T00:00:00
db:JVNDBid:JVNDB-2020-001758date:2020-02-26T00:00:00
db:CNNVDid:CNNVD-202002-1216date:2020-02-24T00:00:00
db:NVDid:CVE-2020-9054date:2020-03-04T20:15:10.750