Headline
CVE-2022-30526: Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls
A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.
- Homepage
- Support
- Security Advisories
- Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls
CVE: CVE-2022-30526, CVE-2022-2030
Summary
Zyxel has released patches for products affected by local privilege escalation and authenticated directory traversal vulnerabilities. Users are advised to install them for optimal protection.
What is the vulnerability?
CVE-2022-30526
A privilege escalation vulnerability was identified in the CLI command of some firewall versions that could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.
CVE-2022-2030
An authenticated directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of some firewall versions.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products for CVE-2022-30526 and CVE-2022-2030 that are within their vulnerability support period, with their firmware patches shown in the table below.
Affected model
Affected version
Patch availability
CVE-2022-30526
CVE-2022-2030
USG FLEX 100(W), 200, 500, 700
ZLD V4.50~V5.30
ZLD V4.50~V5.30
ZLD V5.31
USG FLEX 50(W) / USG20(W)-VPN
ZLD V4.16~V5.30
ZLD V4.16~V5.30
ZLD V5.31
ATP series
ZLD V4.32~V5.30
ZLD V4.32~V5.30
ZLD V5.31
VPN Series
ZLD V4.30~V5.30
ZLD V4.30~V5.30
ZLD V5.31
USG/ZyWALL
ZLD V4.09~V4.72
ZLD V4.11~V4.72
ZLD V4.72 week28*
*Please reach out to your local Zyxel support team for the file.
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Acknowledgment
Thanks to the following security consultancies for reporting the issues to us:
- Rapid7 for CVE-2022-30526
- Maurizio Agazzini (HN Security) in collaboration with SSD Secure Disclosure for CVE-2022-2030
Revision history
2022-07-19: Initial release
Related news
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a "format string vulnerability" affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw. "A format string vulnerability was found in a
This Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low privileged user (e.g. nobody) escalate to root. The issue stems from a suid binary that allows all users to copy files as root. This module overwrites the firewall's crontab to execute an attacker provided script, resulting in code execution as root. In order to use this module, the attacker must first establish shell access. For example, by exploiting CVE-2022-30525. Known affected Zyxel models include USG FLEX (50, 50W, 100W, 200, 500, 700), ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.
Severity of code execution bug mitigated by ‘high uptake’ of previous patch