Ransomware crims target easily exploitable Zyxel vulnerability

Multiple firewall and network attached storage (NAS) devices from Taiwanese maker Zyxel contain a remote code execution vulnerability that can be exploited without any authentication, potentially allowing for full compromise of systems.

"A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products.

"Missing authentication for the program could allow attackers to perform remote code execution via OS command injection," the compay said in its security advisory. 

The flaw can be exploited by sending malicious hyper text transfer protocol POST or GET requests to vulnerable devices.

Zyxel has issued security patches for four NAS devices and for 23 firewall models that are currently supported.

A further ten older NAS servers that are out of support are also affected by the flaw but do not have security patches available.

For these, Zyxel suggests as a workaround customers do not connect them directly to the internet.

Instead, customers are advised to use a "security router" or a firewall for additional protection.

However, the United States Computer Emergency Response Team pointed out that the workaround doesn't protect against attackers creating specially crafted websites on client systems that can reach the vulnerable Zyxel devices.

CERT/CC suggested that the issue which is rated as ten or most severe can be mitigated by blocking access to the Zyxel device web-based interface on TCP port 80 and 443.

Any computer that can access the web interface on Zyxel devices should not be able to access the internet as well, CERT/CC suggested.

Users should exercise caution as Zyxel's firmware upgrade process uses an insecure channel via unencrypted file transfer protocol (FTP) for updates, and the files retrieved are only verified by checksum and not with cryptographic signatures.

"For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device," CERT/CC warned.

Proof of concept code that powers down vulnerable Zyxel devices has been published by CERT/CC.

Infosec journalist Brian Krebs reported that security researcher Alex Holden had found exploit code in cyber criminal forums for sale for US$20,000.

Holden said the vulnerability is easy to exploit. He added that is is now being added to the Emotet ransomware an actively being exploited.