Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30526: Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls

A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.

CVE
#vulnerability#perl#auth
  1. Homepage
  2. Support
  3. Security Advisories
  4. Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls

CVE: CVE-2022-30526, CVE-2022-2030

Summary

Zyxel has released patches for products affected by local privilege escalation and authenticated directory traversal vulnerabilities. Users are advised to install them for optimal protection.

What is the vulnerability?

CVE-2022-30526

A privilege escalation vulnerability was identified in the CLI command of some firewall versions that could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.

CVE-2022-2030

An authenticated directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of some firewall versions.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products for CVE-2022-30526 and CVE-2022-2030 that are within their vulnerability support period, with their firmware patches shown in the table below.

Affected model

Affected version

Patch availability

CVE-2022-30526

CVE-2022-2030

USG FLEX 100(W), 200, 500, 700

ZLD V4.50~V5.30

ZLD V4.50~V5.30

ZLD V5.31

USG FLEX 50(W) / USG20(W)-VPN

ZLD V4.16~V5.30

ZLD V4.16~V5.30

ZLD V5.31

ATP series

ZLD V4.32~V5.30

ZLD V4.32~V5.30

ZLD V5.31

VPN Series

ZLD V4.30~V5.30

ZLD V4.30~V5.30

ZLD V5.31

USG/ZyWALL

ZLD V4.09~V4.72

ZLD V4.11~V4.72

ZLD V4.72 week28*

*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgment

Thanks to the following security consultancies for reporting the issues to us:

  • Rapid7 for CVE-2022-30526
  • Maurizio Agazzini (HN Security) in collaboration with SSD Secure Disclosure for CVE-2022-2030

Revision history

2022-07-19: Initial release

Related news

Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a "format string vulnerability" affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw. "A format string vulnerability was found in a

Zyxel Firewall SUID Binary Privilege Escalation

This Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low privileged user (e.g. nobody) escalate to root. The issue stems from a suid binary that allows all users to copy files as root. This module overwrites the firewall's crontab to execute an attacker provided script, resulting in code execution as root. In order to use this module, the attacker must first establish shell access. For example, by exploiting CVE-2022-30525. Known affected Zyxel models include USG FLEX (50, 50W, 100W, 200, 500, 700), ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.

Zyxel firewall vulnerabilities left business networks open to abuse

Severity of code execution bug mitigated by ‘high uptake’ of previous patch

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907