CVE-2020-15331 Zyxel CloudCNM has a hardcoded OAUTH_SECRET_KEY in SecuManager 3.1.0 and 3.1.1.

This can be a problem when upgrading from version 3.0.x as the version 3.0.x shipped with a hardcoded OAUTH_SECRET_KEY (i.e. "eNmbXnXzX9G3vYd3JWw").

To solve this issue, we recommend that you upgrade your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system to version 3.1.2. Upgrading your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system to version 3.1.2 will automatically upgrade the OAUTH_SECRET_KEY to a random string. If for some reason upgrading your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system to version 3.1.2 does not fix the issue, you can manually update the OAUTH_SECRET_KEY to a random string. To do this, follow the steps below:

1. Log in to your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system as root user.

2. Open the /etc/axess/ directory.

3. Update the OAUTH_SECRET_KEY variable with a random string of 32 characters.

Step 2: Update the OAUTH_SECRET_KEY variable with a random string of 32 characters

To update the OAUTH_SECRET_KEY variable with a random string of 32 characters, follow these steps:

1. Log in to your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system as root user.
2. Open the /etc/axess/ directory
3. Update the OAUTH_SECRET_KEY variable with a random string of 32 characters:
echo "rXhjEzm8fvFnuwHGp38hRRxW7JGqB3LKMb" > /etc/axess/OauthSecretKey

Update the OAUTH_SECRET_KEY variable with a random string of 32 characters

In /etc/axess/ directory, modify the OAUTH_SECRET_KEY variable with a random string of 32 characters. The new value will be different for each system, so use the following command to view your current OAUTH_SECRET_KEY value:

cat /etc/axess/OauthSecretKey

To apply this change to your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system, execute the following command:

source /etc/axess/.profile

Step 1: Update the code

1. Log in to your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system as root user.
2. Open the /etc/axess/ directory.
3. Update the OAUTH_SECRET_KEY variable with a random string of 32 characters:
# cat /etc/axess/OauthSecretKey eNmbXnXzX9G3vYd3JWw
# echo -en "eNmbXnXzX9G3vYd3JWw" > /etc/axess/OauthSecretKey

Environment Variables

The Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system is shipped with two environment variables: OAUTH_SECRET_KEY and CLOUDCNM_TOKEN_TOKEN. The CLOUDCNM_TOKEN_TOKEN variable controls the ability to gain access to the device via token, while the OAUTH_SECRET_KEY is used to authenticate an account who has been given a token (i.e. an admin user).

To change the OAUTH_SECRET_KEY variable, open up the /etc/axess/ directory and update it to a random string of 32 characters, which will effectively reset your authentication for all users on your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system.

Edit the /etc/axess/OAuth.conf File

1. Log in to your Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 system as root user.
2. Open the /etc/axess/ directory.
3. Edit the /etc/axess/OAuth.conf file and add the following line below the OAUTH_SECRET_KEY string:
J=32
4. Save your changes and exit the file when finished.

Timeline

Published on: 09/29/2022 03:15:00 UTC
Last modified on: 09/29/2022 17:15:00 UTC

References

• https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html
• https://www.zyxel.com/support/vulnerabilities-of-CloudCNM-SecuManager.shtml
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15331