External risk intelligence

Zyxel Router Command Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2017-18368

Certain ZyXEL and Billion routers have a command injection vulnerability in their log forwarding function, allowing unauthenticated users to run arbitrary commands. This could lead to unauthorized control of network devices, data compromise, and service disruption. The business risk is significant due to potential unau

5Halo Surface Signal

OS Command Injection

Billion 5200w T Firmware

7.3.8.07.3.15.0

External exposure likelihood

Halo Surface Signal score for CVE-2017-18368

The affected product is a residential/SOHO router, which is designed to serve as the internet edge gateway and is typically exposed directly to the public internet for management and network routing functions.

Horizon Alert

Summary of the vulnerability and why it matters

Certain ZyXEL and Billion routers possess a command injection vulnerability within their remote system log forwarding feature. This flaw allows unauthenticated users to execute arbitrary commands on the affected devices. The primary business impact is the potential for attackers to gain unauthorized control over network devices, leading to data compromise and disruption of services.

Vulnerable routers
Unauthenticated command execution
Compromised network devices

Attack Path

How an attacker could exploit the issue

An unauthenticated user can exploit a command injection vulnerability in the remote system log forwarding function of the affected router. This is achieved through the `remote_host` parameter on the `ViewLog.asp` page. Successful exploitation allows an attacker to execute arbitrary commands on the affected system.

Log forwarding function exposed externally.
Attacker sends crafted host parameter.
Attacker gains control of system.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to inject commands into affected routers. Exploitation could lead to unauthorized control over the device, potentially enabling further network compromise or disruption. The business risk is high due to the ease of exploitation and the critical impact on affected systems and data.

Attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an unauthenticated user to execute commands on affected devices. Organizations should prioritize identifying and mitigating this risk to prevent potential unauthorized access and system compromise. Immediate action is recommended due to the potential for exploitation.

Find affected assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What kind of device is the ZyXEL P660HN-T1A v1 router?

The ZyXEL P660HN-T1A v1 is a router that was distributed by TrueOnline. Routers act as gateways between networks, directing internet traffic and often providing Wi-Fi connectivity for homes and small offices.

What is CVE-2017-18368 and what type of weakness does it represent?

CVE-2017-18368 is a command injection vulnerability. This means an attacker can trick the software into running unintended commands, similar to tricking a computer into executing a malicious program. In this case, it affects the remote system log forwarding function.

How can an attacker exploit the vulnerability in CVE-2017-18368?

An attacker can exploit this vulnerability by sending specially crafted input to the `remote_host` parameter on the `ViewLog.asp` page. It's important to note that this does not trigger if the log forwarding function is not accessed or if the parameter is not used in a specific malicious way.

Who should be concerned about this vulnerability, considering its exposure?

Anyone running the affected ZyXEL or Billion router models should be concerned. Since these devices are often at the edge of a network and exposed to the internet for management, this vulnerability is considered very likely to be accessible externally.

What is the first step for responding to this threat?

The initial step is to identify if you have any of the affected router models within your network. Once identified, you should take steps to reduce their exposure or isolate them from the internet until a fix can be applied or the device can be replaced.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.