CVE-2020-9054
CRITICAL
9,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
HIGH
10,0
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: none
Confidentiality: complete
Integrity: complete
Availability: complete
Description
AI Translation Available
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,9431
Percentile
1,0th
Updated
EPSS Score Trend (Last 90 Days)
78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
StableCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Non-Repudiation
Potential Impacts:
Execute Unauthorized Code Or Commands
Dos: Crash, Exit, Or Restart
Read Files Or Directories
Modify Files Or Directories
Read Application Data
Modify Application Data
Hide Activities
Applicable Platforms
Technologies:
AI/ML, Not Technology-Specific, Web Server
Operating System
Vpn300 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abfc.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Zywall110 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aaaa.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:zywall110_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Nas520 Firmware by Zyxel
Version Range Affected
To
5.21\(aasz.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:nas520_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Atp200 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abfw.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg60 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aaky.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Atp100 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abps.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Vpn100 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abfv.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Atp500 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abfu.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Nas326 Firmware by Zyxel
Version Range Affected
To
5.21\(aazf.7\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg310 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aapj.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg60W Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aakz.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Vpn50 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abhl.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Nas540 Firmware by Zyxel
Version Range Affected
To
5.21\(aatb.4\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:nas540_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Zywall1100 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aaac.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:zywall1100_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Nas542 Firmware by Zyxel
Version Range Affected
To
5.21\(abag.4\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Zywall310 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aaab.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:zywall310_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg110 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aaph.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg110_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Atp800 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abiq.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg40 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aala.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg2200 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abae.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Vpn1000 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abip.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg210 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aapi.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg20-Vpn Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abaq.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg20W-Vpn Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(abar.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg40W Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aalb.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg1100 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aapk.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg1100_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Usg1900 Firmware by Zyxel
Version Range Affected
From
4.35
(inclusive)
To
4.35\(aapl.3\)c0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:o:zyxel:usg1900_firmware:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020…
https://cwe.mitre.org/data/definitions/78.html
https://kb.cert.org/artifacts/cve-2020-9054.html
https://kb.cert.org/vuls/id/498544/
https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-produc…
https://cwe.mitre.org/data/definitions/78.html
https://kb.cert.org/artifacts/cve-2020-9054.html
https://kb.cert.org/vuls/id/498544/
https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-produc…