CVE-2020-15336

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 lack any authentication mechanism for HTTP requests to the /cnr endpoint. This endpoint is part of the XMPP-based communication system used for management and monitoring of security gateways. The absence of authentication means any network request to /cnr is processed without verifying the identity or authorization of the requester [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to any accessible /cnr endpoint on a deployed CloudCNM SecuManager instance. No authentication, prior access, or user interaction is required. The attack can be performed over the network, and if the management interface is exposed to the internet (which is often the case as there is no firewall by default [1]), it can be done remotely from the WAN. The specific sequence involves simply targeting the /cnr URL path on the affected appliance [1].

Impact

Successful exploitation allows an attacker to interact with the XMPP CNR service without restrictions. This can lead to unauthorized manipulation of the managed security gateways, potentially causing denial of service, misconfiguration, or further compromise of the network management infrastructure. The impact is high as it compromises the integrity and availability of the management system [1].

Mitigation

As of the publication date (2020-06-26), Zyxel has not released a patch or firmware update addressing this vulnerability. The affected versions are CloudCNM SecuManager 3.1.0 and 3.1.1. Users should restrict network access to the management interface, ensure it is not exposed to the internet, and implement firewall rules to limit access to trusted IP addresses only [1].