Late last week, cybersecurity firm Rapid7 disclosed a nasty flaw in the firewalls of Taiwanese modem maker Zyxel. This can allow an unauthenticated remote attacker to execute code as a user. The programming problem is the lack of input checking, with two fields passed to a CGI handler being fed into system calls. The affected models are the VPN and ATP series, as well as the USG 100(W), 200, 500, 700 and Flex 50(W)/USG20(W)-VPN models.
At the time, Rapid7 said it had found 15,000 affected models on the internet. However, over the weekend, the Shadowserver Foundation raised that number to over 20,800. “The most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most models affected by CVE-2022-30525 are in the EU – France (4.5K) and Italy (4.4K),” the web threat detection NGO tweeted.
This indicated that it had seen the exploitation of the flaw start on May 13, urging users of modems stamped Zyxel to immediately apply the patches put online by the company. After Rapid7 reported the vulnerability on April 13, the Taiwanese hardware maker quietly released patches on April 28. Rapid7 only realized on May 9 that the release had taken place, and eventually released their blog and Metasploit module along with Zyxel’s notice, and were unhappy with the timeline of events.
Advance disclosure
“Releasing patches is equivalent to releasing details of vulnerabilities, since attackers and researchers can reverse-patch to learn the precise details of the exploit, while defenders rarely bother to do so,” Jake wrote. Baines, a Rapid7 researcher who discovered the flaw.
“That’s why we’re releasing this early disclosure to help defenders detect the exploit and help them decide when to apply this patch in their own environments, based on their own risk tolerance.” In other words, silent vulnerability patches tend to only help active attackers, and leave defenders in the dark about the real risk of newly discovered issues. »
For its part, Zyxel claimed that there was a “misunderstanding during the process of coordinating disclosure” and that it “still follows the principles of coordinated disclosure”. At the end of March, Zyxel published an advisory regarding another CVSS 9.8 vulnerability in its CGI program, which could allow an attacker to bypass authentication and use the device with administrative access.
Source: ZDNet.com