CVE-2020-29390 – CVE-2020-29390 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2020-29390?

CVE-2020-29390 has a CVSS score of 9.8 (CRITICAL). CVE-2020-29390 is a critical command injection vulnerability in Zeroshell 3.9.3 that allows unauthenticated attackers to execute arbitrary system commands via shell metacharacters in the StartSessionSubmit parameter. This affects all systems running the vulnerable Zeroshell version, particularly those exposed to untrusted networks.

📋 TL;DR

CVE-2020-29390 is a critical command injection vulnerability in Zeroshell 3.9.3 that allows unauthenticated attackers to execute arbitrary system commands via shell metacharacters in the StartSessionSubmit parameter. This affects all systems running the vulnerable Zeroshell version, particularly those exposed to untrusted networks.

💻 Affected Systems

Products:

Zeroshell

Versions: 3.9.3

Operating Systems: Linux-based Zeroshell distribution

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Zeroshell 3.9.3 are vulnerable by default. The vulnerable endpoint /cgi-bin/kerbynet is accessible without authentication.

📦 What is this software?

Zeroshell by Zeroshell

View all CVEs affecting Zeroshell →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands as root, install persistent backdoors, pivot to internal networks, and exfiltrate sensitive data.

🟠

Likely Case

Remote code execution leading to system takeover, installation of cryptocurrency miners or ransomware, and credential harvesting from the compromised router.

🟢

If Mitigated

Limited impact if system is isolated behind strict network controls, but still vulnerable to internal threats.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and has public exploit details available.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated attackers to compromise the router and pivot to other systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward using shell metacharacters and %0a (newline) characters. Public blog posts demonstrate working exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.9.3

Vendor Advisory: Not available - Zeroshell is open source with limited formal vendor support

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download latest Zeroshell version from official website. 3. Perform fresh installation or upgrade following Zeroshell documentation. 4. Restore configuration from backup. 5. Restart system.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to Zeroshell web interface using firewall rules

iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Web Server Configuration

linux

Add input validation or disable vulnerable endpoint

# Modify /etc/lighttpd/lighttpd.conf to add request filtering
# or disable /cgi-bin/kerbynet endpoint

🧯 If You Can't Patch

Isolate Zeroshell system in separate VLAN with strict firewall rules allowing only necessary traffic
Implement network-based intrusion detection to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Zeroshell version is 3.9.3 via web interface or command line. Test by sending crafted request to /cgi-bin/kerbynet with StartSessionSubmit parameter containing shell metacharacters.

Check Version:

cat /etc/zeroshell/version or check web interface dashboard

Verify Fix Applied:

Verify Zeroshell version is updated beyond 3.9.3. Test exploitation attempt should fail with proper input validation error.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/kerbynet with shell metacharacters
System commands executed from web server process
Failed authentication attempts followed by successful command execution

Network Indicators:

HTTP requests containing %0a or shell metacharacters in parameters
Unexpected outbound connections from Zeroshell system

SIEM Query:

source="web_logs" AND uri="/cgi-bin/kerbynet" AND (param="*%0a*" OR param="*;*" OR param="*|*" OR param="*`*")

📊 Metadata

CVE ID: CVE-2020-29390

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 30, 2020

Last Updated: November 21, 2024

🔗 References

https://blog.quake.so/post/zeroshell_linux_router_rce/ Exploit,Third Party Advisory
https://blog.quake.so/post/zeroshell_linux_router_rce/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29390, you might also want to check these: