CVE-2024-42057
📋 TL;DR
This CVE describes a command injection vulnerability in Zyxel firewall devices that allows unauthenticated attackers to execute operating system commands. The vulnerability affects multiple Zyxel firewall series when configured with User-Based-PSK authentication and specific username conditions. Attackers can exploit this to gain unauthorized access and control over affected devices.
💻 Affected Systems
- Zyxel ATP series
- Zyxel USG FLEX series
- Zyxel USG FLEX 50(W) series
- Zyxel USG20(W)-VPN series
📦 What is this software?
Zld by Zyxel
Zld by Zyxel
Zld by Zyxel
Zld by Zyxel
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to network infiltration, data exfiltration, and use as a pivot point for further attacks.
Likely Case
Unauthorized command execution allowing configuration changes, credential harvesting, or installation of persistence mechanisms.
If Mitigated
Limited impact due to specific configuration requirements and proper network segmentation.
🎯 Exploit Status
Exploitation requires specific configuration conditions but is straightforward once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V5.38
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024
Restart Required: Yes
Instructions:
1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface or CLI. 4. Reboot device. 5. Verify firmware version.
🔧 Temporary Workarounds
Disable User-Based-PSK Authentication
allSwitch to alternative authentication methods that don't trigger the vulnerability.
Username Length Restriction
allEnsure no usernames exceed 28 characters in User-Based-PSK configurations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices
- Deploy network-based IPS/IDS rules to detect and block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Maintenance > Firmware) or CLI command 'show version'. Verify if User-Based-PSK is enabled and if any usernames exceed 28 characters.Check Version:
show versionVerify Fix Applied:
Confirm firmware version is above V5.38 and test with crafted usernames to ensure no command execution occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts with long usernames
- Unexpected command execution in system logs
- Failed login attempts with crafted usernames
Network Indicators:
- Traffic patterns indicating command injection attempts
- Unusual outbound connections from firewall devices
SIEM Query:
source="zyxel_firewall" AND (username_length>28 OR "command injection" OR "os command")