Zyxel firewalls vulnerable to remote code execution

Taiwanese network equipment vendor Zyxel has issued firmware patches for 12 of its firewall devices, after security researchers discovered it was possible for unauthenticated attackers to run arbitrary code on them.

Vulnerable Zyxel firewalls allow attackers to issue commands as the “nobody” system user, through the administrative web interface if it is exposed to the Internet.

Security vendor Rapid7 researchers said that apart from issuing system commands, attackers could create reverse shells for remote access to vulnerable Zyxel firewalls.

Making matters worse, Zyxel prematurely released patches for the products.

Rapid7 researcher Jake Baines, who discovered the flaw in April this year, reported the issue to Zyxel and suggested a coordinated disclosure in June, with a 60-day deadline.

However, Zyxel independently released patches on April 28, which Rapid7 became aware of on May 9.

“This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this,” Baines said.

Baines added that silent vulnerability patching “tends to only help active attackers and leaves defenders in the dark about the true risk of newly discovered issues.”

Zyxel said the early patch release was because of a miscommunication between themselves and Rapid7 during the coordinated disclosure process.

“As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters,” the company said in its advisory.

Zyxel firewalls that support Zero Touch Provisioning need patched firmware, and Rapid7 suggested administrators enable automatic updating.

Firmware versions ZLD5.00 to ZLD5.21 patch 1 are affected by the vulnerability.

The vulnerable firmware is found on Zyxel’s USG Flex 100 and 100W, 200, 500, 700 firewalls, and the USG20-VPN and USG20-VPN products.

Zyxel’s ATP 100, 200, 500, 700 and 800 series firewalls also need patching, and all products should be updated to ZLD version 5.30.

While the firewalls are popular elsewhere in the world, with over 16,000 installed, a Scan with the Shodan vulnerability search engine did not find any hosts in Australia or New Zealand.