CVE-2024-40891 Zyxel DSL CPE OS Command Injection

CVE-2024-40891 is a critical post-authentication command injection vulnerability identified in certain legacy DSL Customer Premises Equipment (CPE) devices manufactured by Zyxel. This flaw allows authenticated attackers to execute arbitrary operating system (OS) commands via the Telnet service, potentially leading to full system compromise.

What is Vulnerable to CVE-2024-40891

The vulnerability primarily affects the following Zyxel legacy DSL CPE models:

• VMG1312-B10A
• VMG1312-B10B
• VMG1312-B10E
• VMG3312-B10A
• VMG3313-B10A
• VMG3926-B10B
• VMG4325-B10A
• VMG4380-B10A
• VMG8324-B10A
• VMG8924-B10A
• SBG3300
• SBG3500

These models have reached their end-of-life (EOL) status and are no longer supported by Zyxel. It’s important to note that both Wide Area Network (WAN) access and the Telnet function are disabled by default on these devices. However, if user-configured passwords have been compromised, the vulnerability can be exploited.

Mitigation and Remediation for CVE-2024-40891

Given the EOL status of the affected devices, Zyxel will not release firmware updates to address this vulnerability. Therefore, the most effective remediation is to replace these legacy products with newer, supported models. In the meantime, users should implement the following measures:

• Disable Telnet Access: Ensure that the Telnet service is disabled to prevent exploitation via this protocol.
• Restrict Administrative Access: Configure access control lists (ACLs) to allow only trusted IP addresses to access the device’s management interface.
• Change Default Credentials: Replace all default passwords with strong, unique passwords to prevent unauthorized access.
• Disable Remote Management: If not required, disable remote management features to reduce the attack surface.

Additionally, regularly monitor Zyxel’s official channels for any updates or advisories related to security vulnerabilities.

Impact of Successful Exploitation of CVE-2024-40891

An attacker who successfully exploits this vulnerability can execute arbitrary OS commands on the affected device. This level of access allows the attacker to:

• Compromise System Integrity: Alter system configurations or firmware, potentially rendering the device inoperative.
• Exfiltrate Sensitive Data: Access and extract confidential information traversing the network.
• Launch Further Attacks: Use the compromised device as a foothold to infiltrate other devices within the network.

The severity of these impacts underscores the critical need for immediate mitigation actions.

Proof of Concept for CVE-2024-40891

Security researchers have analyzed the vulnerability and provided insights into its exploitation. The issue resides in the device’s Telnet command processing, particularly in the libcms_cli.so library’s cli_processCliCmd function. Certain commands, such as ifconfig, are passed to the prctl_runCommandInShellWithTimeout function without proper validation. This lack of filtering allows attackers to inject arbitrary commands using shell metacharacters. For example, by exploiting the tftp command with specific parameters, an attacker can execute additional commands on the device.

It’s crucial for users of affected devices to implement the recommended mitigations promptly and consider upgrading to supported models to ensure network security.