On May 12th, 2022, details were released on a vulnerability that targets several Zyxel Networks VPN and Firewall devices. Tracked as CVE-2022-30525 with a CVSS score of 9.8 (critical), this vulnerability allows an attacker to run arbitrary commands on the device without authentication. Discovered by researchers at Rapid7, this vulnerability is easy to exploit and has already been used successfully in the wild.
Censys was able to fingerprint and identify specific running versions of these devices, and at the time of writing, Censys observed 19,506 Zyxel firewall/VPN devices, of which over 7,500 devices may be vulnerable to this specific attack.
The good news is that many of these devices seem to have auto-updates enabled, as we have already observed thousands of hosts with the latest patched firmware version of 5.30 installed over the last few days.
ATP Series
Summary
USG FLEX 50(W)
USG FLEX 100(W), 200, 500, 700
Identifying & Fingerprinting Zyxel Devices
To determine the actual scope of this vulnerability, we had to figure out a method to identify specific versions of the running software. Sometimes this is easier said than done, and this vendor is no exception. There is no specific information in our scan data that states the actual version of the running software. But we did not allow this to deter us since we’ve successfully versioned the unversionable before.
The first step was to look at the artifacts and data that we have now to see if we could potentially use something to map a device to a specific version. It seemed that every Zyxel device we could find in our data had a common set of javascript files that the device imported:
One of the javascript include files that caught our attention was one called “/ext-js/app/common/zld_product_spec.js”, which also contained a query argument named “v” followed by a string of numbers. For example:
Since our data only includes information found in the root of HTTP service, we had to fetch this specific public-facing file manually. The contents of this file contain over one thousand lines of javascript variables, including one variable named “ZLDCONFIG_CLOUD_HELP_VERSION”.
It seems that this variable is used throughout the software to generate links to version-specific documentation on Zyxel’s customer support page. But if our assumptions are correct, we can use this to potentially associate the “?v=220420024630” link with an actual version of the device.
We needed to generate a list of hosts and the numerical characters that followed the “zld_product_spec.js” file using just the data in our dataset. This is best done using Censys’s BigQuery interface (available to enterprise customers):
The result of which looks like the following, and can be saved as a CSV:
We then took the full list, and wrote a small custom script to automatically fetch the “/ext-js/app/common/zld_product_spec.js” file from the host, parse the results, and create a log file containing the numbers following the “v” argument, and the value of the “ZLDCONFIG_CLOUD_HELP_VERSION” variable found in the actual “zld_product_spec” javascript file. For example,
After close analysis of these results, we determined that we only needed to look at the first four digits of this “v” number to associate it with a specific firmware version. And since we only have to identify versions between 5.00 through 5.30, we can say the following with our data:
- v5.00 has a “v” argument value between the range of ‘2106’ and ‘2108’
- v5.10 has a “v” argument value between the range of ‘2109’ and ‘2111’
- v5.20 has a “v” argument value between the range of ‘2201’ and ‘2203’
- v5.30 (the latest, and first non-vulnerable version) has a “v” argument value that always started with ‘2204’
With this information in hand, we can then construct a complete picture of the internet and how this vulnerability affects it. Once again, the best way to do this is by using the Censys BigQuery interface:
Which gave us a total of 71 results, all of which have been mapped to a specific firmware version. We then used this data to generate the summary reports at the beginning of this post.
What can be done?
- Censys ASM customers have access to two new risks, one that warns of an exposed Zyxel administration interface and another which covers the vulnerable versions discovered in this research.
- Administrators should follow the instructions found in Zyxel’s article about this vulnerability.