(Update) Zyxel security advisory for the remote code execution vulnerability of NAS and firewall products
CVE: CVE-2020-9054
Summary
Zyxel NAS (Network Attached Storage) and firewall products are affected by a remote code execution vulnerability. Users are advised to install the standard firmware patches or follow the workaround immediately for optimal protection.
What is the vulnerability?
A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection.
What products are vulnerable—and what should you do?
After a thorough investigation of the complete product lines, we’ve confirmed that the vulnerability affects the following products running specific firmware versions:
NAS products running firmware version 5.21 and earlier.
UTM, ATP, and VPN firewalls running firmware version ZLD V4.35 Patch 0 through ZLD V4.35 Patch 2. Those with firmware versions before ZLD V4.35 Patch 0 are NOT affected.
We’ve identified the vulnerable products that are within their warranty and support period, as shown in the table below. For optimal protection, we urge users to install the standard firmware patches immediately.
Affected model | Standard firmware version |
---|---|
NAS326 | Available now. Firmware V5.21(AAZF.10)C0 |
NAS520 | Available now. Firmware V5.21(AASZ.3)C0* |
NAS540 | Available now. Firmware V5.21(AATB.7)C0 |
NAS542 | Available now. Firmware V5.21(ABAG.7)C0 |
ATP100 | Available now. Firmware V4.35(ABPS.3)C0 |
ATP200 | Available now. Firmware V4.35(ABFW.3)C0 |
ATP500 | Available now. Firmware V4.35(ABFU.3)C0 |
ATP800 | Available now. Firmware V4.35(ABIQ.3)C0 |
USG20-VPN | Available now. Firmware V4.35(ABAQ.3)C0 |
USG20W-VPN | Available now. Firmware V4.35(ABAR.3)C0 |
USG40 | Available now. Firmware V4.35(AALA.3)C0 |
USG40W | Available now. Firmware V4.35(AALB.3)C0 |
USG60 | Available now. Firmware V4.35(AAKY.3)C0 |
USG60W | Available now. Firmware V4.35(AAKZ.3)C0 |
USG110 | Available now. Firmware V4.35(AAPH.3)C0 |
USG210 | Available now. Firmware V4.35(AAPI.3)C0 |
USG310 | Available now. Firmware V4.35(AAPJ.3)C0 |
USG1100 | Available now. Firmware V4.35(AAPK.3)C0 |
USG1900 | Available now. Firmware V4.35(AAPL.3)C0 |
USG2200 | Available now. Firmware V4.35(ABAE.3)C0 |
VPN50 | Available now. Firmware V4.35(ABHL.3)C0 |
VPN100 | Available now. Firmware V4.35(ABFV.3)C0 |
VPN300 | Available now. Firmware V4.35(ABFC.3)C0 |
VPN1000 | Available now. Firmware V4.35(ABIP.3)C0 |
ZyWALL110 | Available now. Firmware V4.35(AAAA.3)C0 |
ZyWALL310 | Available now. Firmware V4.35(AAAB.3)C0 |
ZyWALL1100 | Available now. Firmware V4.35(AAAC.3)C0 |
*NAS520 has been end-of-life so please reach out to your local Zyxel support team for the file.
Note: If you’re having any questions installing the firmware for NAS products, please refer to the FAQ on our forum:
https://community.zyxel.com/en/discussion/8525/faq-upgrading-latest-nas-remote-code-execution-vulnerability-firmware
For affected NAS products that reached end-of-support in 2016 or earlier, firmware updates are no longer provided. We strongly recommend that users follow the workaround procedure, as detailed below, to remediate the vulnerability.
Affected models that are end-of-support | Workaround |
---|---|
NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 | Do not leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection. |
Update on Jan. 27, 2022
Recent research suggested that a new BotenaGo malware is targeting a list of devices with known CVE vulnerabilities from several vendors. We urge users with the above-listed devices to install the applicable updates or follow the workaround procedure immediately for optimal protection.
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Acknowledgment
Thanks to Brian Krebs, an independent investigative journalist, for reporting the issue to us and CERT/CC for coordinating the disclosure process.
Revision history
2020-02-24: Initial release
2020-02-26: Added firewall products to the vulnerable product list and corrected the acknowledgement section
2020-02-27: Added further instructions about installing the hotfixes and standard firmware
2020-03-04: Updated the standard firmware download links for firewalls
2020-03-06: Updated the standard firmware download links for NAS and removed the hotfixes
2020-03-11: Added NAS firmware update FAQ
2022-01-28: Updated the patch firmware version of NAS326, NAS540, and NAS542; added response to recent research on BotenaGo Malware