{"id":33600,"date":"2020-02-26T21:40:16","date_gmt":"2020-02-26T21:40:16","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/zyxel-storage-firewall-vpn-security-boxes-have-a-give-anyone-on-the-internet-root-hole-patch-right-now\/"},"modified":"2020-02-26T21:40:16","modified_gmt":"2020-02-26T21:40:16","slug":"zyxel-storage-firewall-vpn-security-boxes-have-a-give-anyone-on-the-internet-root-hole-patch-right-now","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/zyxel-storage-firewall-vpn-security-boxes-have-a-give-anyone-on-the-internet-root-hole-patch-right-now\/","title":{"rendered":"Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now"},"content":{"rendered":"
<\/div>\n

Zyxel’s network storage boxes, business VPN gateways, firewalls, and, er, security scanners can be remotely hijacked by any miscreant, due to a devastating security hole in the firmware.<\/p>\n

The devices’ weblogin.cgi program fails to sanitize user input, allowing anyone who can reach one of these vulnerable machines, over the network or across the internet, can silently inject and execute arbitrary commands as a root superuser with no authentication required. That would be a total compromise. It’s a 10 out of 10 in terms of severity.<\/p>\n

As its name suggests, weblogin.cgi is part of the built-in web-based user interface provided by the firmware, and the commands can be injected via GET or POST HTTP requests.<\/p>\n

If a miscreant can’t directly connect to a vulnerable Zyxel device, “there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable device,” noted<\/a> Carnegie Mellon’s CERT Coordination Center in its advisory on the matter.<\/p>\n

“For example, simply visiting a website can result in the compromise of any Zyxel device that is reachable from the client system.”<\/p>\n

Here’s the affected equipment, which will need patching:<\/p>\n