Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PHP CGI vulnerability. Show all posts

Zyxel: Firewalls, Access Points, and Controllers are Vulnerable

 

Zyxel has issued a cybersecurity advisory alerting administrators about various vulnerabilities impacting a variety of firewall, access point, and access point controller products. 

While the flaws are yet not ascribed a high severity rating, the potential damage they can cause is something to be taken seriously as these flaws could be exploited by malicious attackers as an aspect of exploit chains. Moreover, Zyxel goods are used by large enterprises, and any exploitable faults in them attract threat actors right away. 

The most serious of the four flaws is a command injection problem in various CLI commands, which is classified as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability has been discovered in the CGI, which could allow a malicious script to access information stored in the user's browser, such as cookies. 
  • CVE-2022-26531: A locally authenticated attacker might utilize a system crash by exploiting several erroneous input validation issues in various CLI commands of some firewall, AP controller, and AP versions. 
  • CVE-2022-26532: A command injection vulnerability in some firewall, AP controller, and AP versions' "packet-trace" CLI command might enable a local authorized attacker to execute arbitrary OS instructions by passing crafted parameters to the command. 
  • CVE-2022-0910: An attacker might use an IPsec VPN client to downgrade from two-factor authentication to one-factor authentication. 

While Zyxel has released software updates for firewalls and access points, the only way to get a hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 is to contact the local Zyxel support teams. 

The news comes as a major command injection hole in select Zyxel firewalls; CVE-2022-30525, CVSS score: 9.8) has been actively exploited, forcing the US Cybersecurity and Infrastructure Security Agency to add the vulnerability to its Recorded Exploited Vulnerabilities Database.

PHP-CGI remote code execution vulnerability exploited to deliver Bitcoin Malware

A Two year old PHP CGI remote code execution vulnerability(CVE-2012-1823) is being exploited to install a Bitcoin malware in the web server, reports Symantec.

Symantec says they have noticed a substantial increase in the quantity of php code inclusion attacks against its Managed Security Services(MSS) customers.

Only Linux web servers running the outdated PHP version are said to be vulnerable to this exploit. As of Jan. 7, more than its Security Operations Center(SOC) customers have been affected by these exploit attempts.

PHP CGI Remote code execution exploit 

Vulnerable servers are targeted with an exploit code which disables the security_mode and enable other options needed for the exploit.  If they server is vulnerable, then the exploit downloads 'a' script that will install Bitcoin Miner.
 
"The role of Bitcoin mining in this scenario is to harness the victim’s computational resources to financially benefit the perpetrators." say researchers at Symantec.  "The victim systems in this situation have been wrongfully hijacked and pressed into service, which may cause slowdowns for legitimate users and resource issues for server owners.  "