CVE-2020-15334

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain an escape-sequence injection vulnerability in the file /var/log/axxmpp.log. The xmppCnrSender.py script logs input from the XMPP connection manager without proper sanitization, allowing an attacker to inject ANSI escape sequences into the log file [1].

Exploitation

An attacker with network access to the SecuManager's management interface can send crafted XMPP messages containing escape sequences. These sequences are then written verbatim to the log file. No authentication is required for this injection, as the XMPP channel is accessible without credentials by default [1].

Impact

When an administrator views the log file (e.g., via cat, less, or a log viewer that interprets escape sequences), the injected sequences can execute arbitrary terminal commands, potentially leading to information disclosure or further compromise of the admin's session. The impact depends on the terminal emulator and viewer software used [1].

Mitigation

Zyxel has not released a patch for this vulnerability as of the publication date (2020-06-26). The product may be end-of-life; users should restrict network access to the SecuManager and avoid viewing logs with terminal emulators that interpret escape sequences [1].