CVE-2020-29299

Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD V4.39 week38, USG FLEX before ZLD V4.55 week38, ATP before ZLD V4.55 week38, and NSG before 1.33 patch 4.

CVSS v3 7.2 HIGH
CVSS v2.0 9.0 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.zyxel.com/support/Zyxel-security-advisory-for-command-injection-vulnerability-of-firewalls.shtml	Vendor Advisory
https://www.zyxel.com/us/en/support/security_advisories.shtml	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:zyxel:vpn_orchestrator::::::::
	cpe:2.3:o:zyxel:zld::::::::

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:zyxel:nsg_firmware::::::::
	cpe:2.3:o:zyxel:nsg_firmware:1.33:-::::::
	cpe:2.3:o:zyxel:nsg_firmware:1.33:patch1::::::

cpe:2.3:h:zyxel:nsg:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:zyxel:usg_flex_firmware:-:::::::*
	cpe:2.3:o:zyxel:zld::::::::

cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-12-27 06:15

Updated : 2024-02-04 21:23

NVD link : CVE-2020-29299

Mitre link : CVE-2020-29299

CVE.ORG link : CVE-2020-29299

JSON object : View

Products Affected

zyxel

usg_flex
vpn_orchestrator
nsg
nsg_firmware
zld
atp
usg_flex_firmware

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2020-29299", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2020-12-27T06:15:12.447", "references": [{"url": "https://www.zyxel.com/support/Zyxel-security-advisory-for-command-injection-vulnerability-of-firewalls.shtml", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zyxel.com/us/en/support/security_advisories.shtml", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD V4.39 week38, USG FLEX before ZLD V4.55 week38, ATP before ZLD V4.55 week38, and NSG before 1.33 patch 4."}, {"lang": "es", "value": "Determinados productos Zyxel permiten una inyecci\u00f3n de comandos por un administrador por medio de una cadena de entrada a la funci\u00f3n chg_exp_pwd durante una acci\u00f3n de cambio de contrase\u00f1a. Esto afecta a VPN local anterior a ZLD versi\u00f3n V4.39 week38, VPN Orchestrator anterior a SD-OS versi\u00f3n V10.03 week32, USG anterior a ZLD versi\u00f3n V4.39 week38, USG FLEX anterior a ZLD versi\u00f3n V4.55 week38, ATP anterior a ZLD versi\u00f3n V4.55 week38, y NSG anterior a versi\u00f3n 1.33 parche 4"}], "lastModified": "2021-01-05T14:47:22.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vpn_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "842065AF-8891-4E54-BAF8-372FBA530FB8", "versionEndExcluding": "10.03"}, {"criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EBC3085-5EF0-401A-B12E-526E631A724A", "versionEndExcluding": "4.39"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1969FFC2-E9AA-457C-9108-1625BEDD5A49", "versionEndExcluding": "4.55"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E4EDCC3C-8EE5-43D3-8739-34987F025DF2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1969FFC2-E9AA-457C-9108-1625BEDD5A49", "versionEndExcluding": "4.55"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:atp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "788B28B2-E2EE-4D98-8862-15B121009B6E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:nsg_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75EAE981-2CE9-408F-AF1E-BD2555BD4675", "versionEndExcluding": "1.33"}, {"criteria": "cpe:2.3:o:zyxel:nsg_firmware:1.33:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B05B561B-F090-494C-993D-0699CCBC5832"}, {"criteria": "cpe:2.3:o:zyxel:nsg_firmware:1.33:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9574E2A0-48C8-4D56-9CC1-11114B3BEB75"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:nsg:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D2AD6681-F470-4692-A017-06844041B035"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:usg_flex_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1C5224F-DD80-4A1F-BC4D-26987AE204C8"}, {"criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EBC3085-5EF0-401A-B12E-526E631A724A", "versionEndExcluding": "4.39"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E4EDCC3C-8EE5-43D3-8739-34987F025DF2"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}