Networking devices vendor Zyxel has released patches for several network attached storage (NAS) devices to address a critical vulnerability that is already being exploited by cybercriminals.
Tracked as CVE-2020-9054, the issue is a remote code execution flaw that can be exploited without authentication and which resides in the weblogin.cgi CGI executable failing to properly sanitize the username parameter passed to it.
Thus, if certain characters are included in the username, the vulnerability can be exploited for command injection with the privileges of the web server. An attacker can then leverage a setuid utility included on the device to run any command with root privileges, CERT Coordination Center (CERT/CC) explains.
“A remote code execution vulnerability was identified in the weblogin.cgi program of Zyxel NAS products running firmware version 5.21 and earlier. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection,” Zyxel explains in an advisory.
A remote attacker could execute arbitrary code on a vulnerable Zyxel device by sending a specially-crafted HTTP POST or GET request. The bug could be triggered even if the attacker does not have direct connectivity to the device (if the device is not exposed to the web), but the victim connects to a malicious website.
An exploit for the vulnerability has been available for sale on underground forums for a while now, priced at $20,000, security reporter Brian Krebs, who alerted Zyxel, DHS, and CERT/CC on the flaw, reveals.
Krebs also says that groups specializing in deploying ransomware at scale have shown interest in the exploit, and that the Emotet gang wou ..
Support the originator by clicking the read the rest link below.
