高危 ZyXEL NAS 操作系统命令注入漏洞
CVE编号
CVE-2020-9054利用情况
POC 已公开补丁情况
官方补丁披露时间
2020-03-05漏洞描述
多款ZyXEL产品中存在操作系统命令注入漏洞。远程攻击者可借助特制的HTTP POST或GET请求利用该漏洞执行任意代码。由于可执行文件weblogin.cgi在身份验证期间未正确过滤username参数造成的,导致攻击者可以在传递给此文件的用户名中包含某些特殊字符来触发漏洞,进而以webserver的权限实现命令注入。 以下产品及版本受到影响: 使用V5.21(AAZF.7)C0之前版本固件的NAS326; 使用V5.21(AASZ.3)C0之前版本固件的NAS520; 使用V5.21(AATB.4)C0之前版本固件的NAS540; 使用V5.21(ABAG.4)C0之前版本固件的NAS542; ZyXEL NSA210; ZyXEL NSA220; ZyXEL NSA220+; ZyXEL NSA221; ZyXEL NSA310; ZyXEL NSA310S; ZyXEL NSA320; ZyXEL NSA320S; ZyXEL NSA325; ZyXEL NSA325v2;解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 系统 | zyxel | atp100_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abps.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | atp200_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abfw.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | atp500_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abfu.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | atp800_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abiq.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | nas326_firmware | * | Up to (excluding) 5.21\(aazf.7\)c0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | nas520_firmware | * | Up to (excluding) 5.21\(aasz.3\)c0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | nas540_firmware | * | Up to (excluding) 5.21\(aatb.4\)c0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | nas542_firmware | * | Up to (excluding) 5.21\(abag.4\)c0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg1100_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aapk.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg110_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aaph.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg1900_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aapl.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg20-vpn_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abaq.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg20w-vpn_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abar.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg210_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aapi.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg2200_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abae.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg310_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aapj.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg40w_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aalb.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg40_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aala.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg60w_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aakz.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | usg60_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aaky.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | vpn1000_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abip.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | vpn100_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abfv.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | vpn300_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abfc.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | vpn50_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(abhl.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | zywall1100_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aaac.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | zywall110_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aaaa.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 系统 | zyxel | zywall310_firmware | * | From (including) 4.35 | Up to (excluding) 4.35\(aaab.3\)c0 | ||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | atp100 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | atp200 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | atp500 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | atp800 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | nas326 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | nas520 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | nas540 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | nas542 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg110 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg1100 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg1900 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg20-vpn | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg20w-vpn | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg210 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg2200 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg310 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg40 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg40w | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg60 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | usg60w | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | vpn100 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | vpn1000 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | vpn300 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | vpn50 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | zywall110 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | zywall1100 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | zyxel | zywall310 | - | - | |||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 POC 已公开
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 无影响
- 服务器危害 服务器失陷
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-78 | OS命令中使用的特殊元素转义处理不恰当(OS命令注入) |
Exp相关链接
- avd.aliyun.com
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论