Manual Mitigation for CVE-2022-30525
Nathan Orr
Security Analyst
Threat Research
Vulnerability in Zyxel Firewalls, assigned CVE-2022-30525: Zyxel Command Injection Vulnerability.
Vulnerability Description:
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address CVE-2022-30525 (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create 1 new signatures (inside the dictionary from the previous step) with the following definition:
-
- Signature name:
CVE-2022-30525: Zyxel Firewall OS Command Injection
-
- Signature pattern:
part="/ztp/cgi-bin/handler",part="command=setWanPortSt",rgxp="(?=.{0,500}mtu)(?=.{0,500}data)"
-
- Protocols:
http
https
- Search Signature in:
Urls And Parameters
- Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it
#CloudWAF(formerlyIncapsula)#On-PremisesWAF(formerlySecuresphere)