Zyxel NAS < 5.21 / USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 RCE (CVE-2020-9054)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(176894);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/08");

  script_cve_id("CVE-2020-9054");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");

  script_name(english:"Zyxel NAS < 5.21 / USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 RCE (CVE-2020-9054)");

  script_set_attribute(attribute:"synopsis", value:
"The remote security gateway is affected by a remote rode execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"Firmware version of the Zyxel USG, ATP, ZyWALL or VPN is less than 4.35 or the version of Zyxel NAS is less 
than 5.21. This Zyxel device firmware is missing authentication logic which could allow an unauthenticated 
attacker to execute some OS commands remotely by sending crafted packets to an affected device.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.zyxel.com/global/en/support/security-advisories/update-zyxel-security-advisory-for-the-remote-code-execution-vulnerability-of-nas-and-firewall-products
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?16154637");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Zyxel USG / ATP / VPN / ZyWALL to version 4.35 or later or update Zyxel NAS to version 5.21 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-9054");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/07");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:zyxel:usg_flex");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("zyxel_usg_web_detect.nbin", "zyxel_usg_detect.nbin");
  script_require_keys("installed_sw/Zyxel Unified Security Gateway (USG)");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('vcf.inc');

var app = 'Zyxel Unified Security Gateway (USG)';

var app_info = vcf::combined_get_app_info(app:app);

var model = app_info['Model'];
var constraints = [];

if(empty_or_null(model))
  audit(AUDIT_OS_CONF_UNKNOWN, 'Zyxel device');

if ('ATP' >< model || 'USG' >< model || 'VPN' >< model || 'ZyWALL' >< model)
  constraints = [{ 'fixed_version' : '4.35' }];
else if ('NAS' >< model)
  constraints = [{ 'fixed_version' : '5.21' }];
else
  audit(AUDIT_NOT_INST, 'Zyxel NAS / USG / ATP / VPN / ZyWALL Device');

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);