Severity of code execution bug mitigated by ‘high uptake’ of previous patch.
Zyxel has released patches for several of its firewall products following the discovery of two security vulnerabilities that left business networks open to exploitation.
First on the list is CVE-2022-2030, an authenticated directory traversal vulnerability in the Common Gateway Interface (GLI) programs of some Zyxel firewalls. This was caused by specific character sequences within an improperly sanitized URL.
The second flaw, CVE-2022-30526, is a local privilege escalation (LPE) vulnerability that was identified in the command-line interface (CLI) of some firewall versions.
Left unpatched, the flaw could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.
Breaking the chain
The privilege escalation issue impacting Zyxel firewalls was discovered by security researchers from Rapid7. The vulnerability allows a low privileged user, such as nobody, to escalate to root on affected firewalls.
As explained in a technical blog post from Rapid7 on July 19, an attacker could establish shell access on the firewall by exploiting CVE-2022-30525 – a separate bug that was discovered by the same researchers and fixed by Zyxel earlier this year.
Fortunately, the severity of this latest vulnerability has been mitigated by strong uptake of the previous fix.
Jake Baines, lead security researcher at Rapid7, told Daily Swig: “CVE-2022-30526 is useless unless you are able to chain it with a vulnerability like CVE-2022-30525.”
He added: “We are happy to report that we’ve seen very high uptake on the patch for CVE-2022-30525, so Zyxel’s patch for CVE-2022-30526 is almost purely a defensive measure – at least until another remote code execution vulnerability is found in their firewalls. Then the patch will have paid off.”
The path traversal issue was discovered by Italian security researcher Maurizio Agazzini of HN Security.
“We agree with Zyxel to release further details of the vulnerability around mid-August in order to allow their customers to have the time to patch all systems,” Agazzini told us.
The latest vulnerabilities affect various versions of several Zyxel firewalls, including USG Flex, ATP Series, VPN Series, and USG ZyWall.
The table below lists the vulnerable versions of each product line:
Firmware patches are now available. “Users are advised to install them for optimal protection,” Zyxel said.
Full details can be found in an accompanying security advisory.
Troops strike the Boko Haram commander and 27 others in Borno
Director of “Blood Sisters” Biyi Bandele passes away at 54
Davido posts a screenshot of himself and Chioma on a video conversation with the caption, “My gist partner.”
Dame Olivia Newton-John, a star of Grease, passes away at age 73
The Comanche warrior paint’s significance is explained by Prey star Amber Midthunder
Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer’s first single to be released since 2016
Your daily horoscope for Tuesday, August 9, 2022
BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction
“I’m sorry for all the embarrassment I’ve caused my wife, my kids, my mother and all our families,” – Two Face Idibia
How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022
Apple allegedly instructs suppliers to avoid labeling shipments to China with “Made in Taiwan”
Super Eagles hero celebrates Premier League accomplishment as “Dream Turns Reality”
Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly
Police re-arrest 25 other suspects and the escapee from Jos prison
Lagos policeman shoot and murder an ex-convict while battling with armed criminals
Cleaner received an eight-month sentence for stealing a laptop bag
Dariye and Nyame recover their freedom, 4 months after Buhari’s pardon
BREAKING: WAEC announces the 2022 WASSCE results
“Buga” is a victory song for Nigerian medalists
Kizz Daniel dazzles in a sold-out performance in Uganda
After four years of marriage, Gideon Okeke’s wife is getting a divorce
BBNaija S7: Beauty’s brother burns critics over disqualification: “Calm down, her script was wonderful.”
Your daily horoscope for Monday, August 8, 2022
#BBNaija: Christy O, Cyph evicted
Deadly Barcelona Thrashed PUMAS to win trophy, Lewandoski gets debut goal
Reactions to Manchester City’s opening-game 2-0 victory over West Ham: “Erling Haaland is scary.”
BBNaija S7: Beauty eliminated from reality TV show
Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1
Man Utd must let Ronaldo leave – Wayne Rooney
Australia Scholarship: Apply for Griffith University degree scholarship, 2022
Edo Govt To Recruit 1000 New Teachers, Train 650 Others
Ebonyi Govt Laments Destruction Of Airport Fence
Transfer: Real Madrid star, Isco to Sevilla as free agent
Transfer: Neto joins Bournemouth from Barcelona
Kano loses one pilgrim in Saudi Arabia
Tobi Amusan wins a gold medal at the Commonwealth Games and breaks a record
Deposed Emir Sanusi: “I’ll keep speaking out to rebuild Nigeria.”
Religious organizations disagree on how to pay for the Jos Main Market project
Jenkins security: The most recent plugin advisory contains flaws with unpatched XSS and CSRF
ParseThru: Multiple Go apps have been found to have an HTTP parameter smuggling issue
[STORY] THE WITCH’S DAUGHTER (Complete Episodes)
[STORY] MONEY OVER LOVE (Complete Episodes)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)
[STORY] SADE’S HEART TALE (Episode 19)
[STORY] THE WITCH’S DAUGHTER (Episode 07)
[STORY] MONEY OVER LOVE (Episode 01)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 03)
[STORY] MONEY OVER LOVE (Episode 09)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 05)
[STORY] THE WITCH’S DAUGHTER (Episode 04)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)
[STORY] THE WITCH’S DAUGHTER (Episode 06)
Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday
[STORY] MONEY OVER LOVE (Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 02)
[STORY] MONEY OVER LOVE (Episode 05)
[STORY] MONEY OVER LOVE (Episode 03)
[STORY] MONEY OVER LOVE (Episode 12)
[STORY] THE WITCH’S DAUGHTER (Final Episode 09)
[STORY] MONEY OVER LOVE (Episode 02)
[STORY] MONEY OVER LOVE (Episode 06)
[STORY] MONEY OVER LOVE (Episode 08)
BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home
Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September
[STORY] MONEY OVER LOVE (Episode 11)
Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President
[STORY] MONEY OVER LOVE (Episode 14)
“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation
[STORY] THE WITCH’S DAUGHTER (Episode 08)
Taurus: Personality qualities, star sign compatibility and Horoscope dates
Monalisa Chida claims the abductor’s phone may be used to find kidnapped Nollywood actors.
[STORY] MONEY OVER LOVE (Episode 17)
[STORY] MONEY OVER LOVE (Episode 18)
The representatives of Victor Osimhen call a CRUNCH meeting to debate the future of Napoli.
[STORY] MONEY OVER LOVE (Final Episode 20)
[STORY] MONEY OVER LOVE (Episode 10)
ANE's Billboard Hots
Technology1 month ago
VoIP Number: Everything You Need To Know
Music6 years ago
[Music] Ed Sheeran – Perfect
Music5 years ago
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
Music1 month ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
ANE Stories1 month ago
The Story Of My Life (Complete Episode 1 – 47)
Movie Subtitle1 month ago
DOWNLOAD Complete Money Heist Season 1 Subtitles File [English SRT] 2017
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
Music1 month ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me