CVE-2024-42057 is a recently disclosed command injection vulnerability that targets popular Zyxel firewall products, making thousands of small businesses and organizations potentially exposed to remote attacks. This post breaks down what the vulnerability is, how it works, demonstration code, and what you should do next to protect your Zyxel device.
What is CVE-2024-42057?
CVE-2024-42057 is a security bug in the IPSec VPN feature found on several Zyxel firewalls, including ATP, USG FLEX, and USG20-VPN families. The problem is a command injection vulnerability—hackers can run system (OS) commands just by sending a specially-crafted VPN login request.
Zyxel admits this in their official advisory, rating the flaw as "critical". It does not require authentication, but certain conditions must be met for an attack to be successful (see below).
Affected Zyxel Firmware
| Model Family | Vulnerable Versions |
|------------------------|---------------------------------|
| ATP Series | V4.32 through V5.38 |
| USG FLEX Series | V4.50 through V5.38 |
| USG FLEX 50(W) Series | V4.16 through V5.38 |
| USG20(W)-VPN Series | V4.16 through V5.38 |
If your device is running one of these versions and is configured with User-Based-PSK authentication, you are at risk.
How Does the Exploit Work?
The root cause is a lack of input sanitization in the username field when negotiating connections to the VPN service. If the username field is long and includes special characters, Zyxel's code may process it in a way that causes part of it to be executed as a system command.
A valid VPN user with a long username (> 28 chars) must exist (they may brute-force this).
4. The attacker crafts a VPN connection request using a specially constructed username, embedding malicious shell commands.
Result: The firewall will execute the attacker's commands with system privileges, possibly letting them plant backdoors, steal configs, or cause outages.
Proof-of-Concept Exploit (Python)
Here’s a simplified PoC illustrating the attack. (Due to the nature of the bug, this is a simulated example. In real attacks, this is sent as part of IPSec tunnel negotiation, which is trickier than a simple HTTP request.)
Suppose the vulnerable username is
aaaaaaaaaaaaaaaaaaaaaaaaaaa; id > /tmp/hacked ;#
This input is 29 ‘a’s, then ; id > /tmp/hacked ;# to run the id command and store the result. When the Zyxel system handles this input poorly, it runs the id command.
Python Pseudocode Example
import socket
# Simulated function - real attack sends ISAKMP (IPSec) packets!
def send_vpn_username(ip, username):
data = {"username": username, "password": "anything"}
# This is for illustration only.
s = socket.socket()
s.connect((ip, 500))
s.send(str(data).encode())
malicious_username = "a" * 29 + "; id > /tmp/hacked ;#"
send_vpn_username("192.168.1.1", malicious_username)
print("Payload sent! Check /tmp/hacked on the device.")
In a real-world exploit, attackers would use a VPN library or crafted IPSec packets (using scapy, for example), depending on Zyxel's protocol handling.
Links and References
- Zyxel Security Advisory (Original Source)
- CVE Details Page
- Firmware Download/Updates
- Discussion on Reddit
Pivot into your internal network for further attacks.
This is as bad as it gets for a firewall vulnerability.
How To Protect Your Device
1. Patch immediately:
Zyxel has released firmware updates. Go to their firmware update page and update to the latest version for your product line.
2. Disable User-Based-PSK if you do not need it.
3. Audit your VPN users:
Remove or change long usernames.
4. Monitor for odd files or processes:
Look for suspicious files in /tmp/, /var/ or CPU spikes.
Takeaway
CVE-2024-42057 shows us even “business-grade” firewalls can have severe security bugs. Simple things—like username length—can lead to full device compromise if the code behind the scenes isn’t careful. If you use Zyxel firewall products, patch now and review your configurations immediately.
Stay safe out there!
*This post was written as an exclusive, easy-to-understand guide to CVE-2024-42057 for IT admins, researchers, and anyone with Zyxel hardware. Please share with anyone who needs to know. Questions or feedback? Comment below!*
Timeline
Published on: 09/03/2024 02:15:04 UTC
Last modified on: 09/05/2024 14:40:39 UTC