Zyxel USG FLEX H Series Incorrect Permission Assignment Vulnerability Allowing Local Privilege Escalation

A vulnerability allowing local privilege escalation has been identified in the Zyxel USG FLEX H series firewalls, specifically in the uOS firmware versions 1.20 through 1.31. This vulnerability arises from incorrect permission assignments in PostgreSQL commands, which could enable an authenticated local attacker with low privileges to access the Linux shell. Exploitation could lead to unauthorized privilege escalation by allowing the attacker to craft malicious scripts or modify system configurations with administrator-level access, using a stolen token. However, such modifications to the system configuration are only feasible if the administrator has not logged out and the token remains valid.

Impact

Exploitation of this vulnerability could result in unauthorized access to the Linux shell and escalation of privileges, allowing an attacker to gain administrator-level access and modify system configurations or execute malicious scripts with elevated rights.

Remediation

Users are advised to update to Zyxel uOS V1.32, which is available for download from the Zyxel Download Library. For assistance, contact a local service representative or visit the Zyxel Community.