The severity of the code execution bug was reduced by the prior patch’s “high uptake.”

Following the identification of two security flaws that exposed corporate networks to exploitation, Zyxel has published updates for a number of its firewall devices.

The first vulnerability on the list is CVE-2022-2030, an authenticated directory traversal flaw in some Zyxel firewalls’ Common Gateway Interface (GLI) programmes. This was brought on by specific character combinations in a URL that had not been properly sanitised.

The second issue, CVE-2022-30526, is a local privilege escalation (LPE) vulnerability that has been discovered in various firewall versions’ command-line interface (CLI).

If the weakness is not fixed, a local attacker may be able to access certain files on a susceptible device and run certain OS commands with root capabilities.

Breaking the chain

Security experts from Rapid7 were the ones to identify the privilege escalation problem affecting Zyxel firewalls. On susceptible firewalls, the vulnerability enables a low-privileged user, such as nobody, to escalate to root.

An attacker might gain shell access to the firewall by attacking CVE-2022-30525, a different problem that was found by the same researchers and addressed by Zyxel earlier this year, as stated in a technical blog post by Rapid7 on July 19.

Fortunately, there has been a significant uptake of the earlier remedy, which has lessened the impact of this most recent vulnerability.

Jake Baines, lead security researcher at Rapid7, told The Daily Swig: “CVE-2022-30526 is useless unless you are able to chain it with a vulnerability like CVE-2022-30525.”

He added: “We are happy to report that we’ve seen very high uptake on the patch for CVE-2022-30525, so Zyxel’s patch for CVE-2022-30526 is almost purely a defensive measure – at least until another remote code execution vulnerability is found in their firewalls. Then the patch will have paid off.”

The path traversal issue was discovered by Italian security researcher Maurizio Agazzini of HN Security.

“We agree with Zyxel to release further details of the vulnerability around mid-August in order to allow their customers to have the time to patch all systems,” Agazzini told us.

Firmware patches

The latest vulnerabilities affect various versions of several Zyxel firewalls, including USG Flex, ATP Series, VPN Series, and USG ZyWall.