Zyxel has issued security reports in which the manufacturer warns of security gaps in firewalls and access points, some of which are critical. Updated software to close the vulnerabilities is available. Administrators should install them quickly.
Zyxel published a total of three security advisories on Tuesday. Together they cover nine vulnerabilities with CVE entries, one classified as Critical Risk, six as High, and one each as Medium and Low.
Zyxel firewalls with a critical gap
The critical vulnerability allows unauthenticated remote attackers to execute commands in the underlying operating system by sending maliciously crafted packets to a vulnerable device. The cause is insufficient handling of error messages (CVE-2023-28771, CVSS 9.8Risk “critical“). Affected are Zyxel ATP, USG Flex and VPN with ZLD 4.60 to 5.35; Version 5.36 closes the gap. In addition, the bug-fixed firmware ZLD 4.73 Patch 1 is available for ZyWALL/USG.
The second advisory bundles six vulnerabilities in Zyxel’s firewalls and access points. Four of these relate to CGI programs on the devices that allow registered administrators or sometimes users to carry out denial-of-service attacks or the unauthorized execution of commands in the operating system. If IT managers have allowed access from the Internet, unauthenticated attackers could also trigger core dumps. Most of the vulnerabilities are considered high risk (CVE-2023-22913, CVSS 8.1Risk “hoch“; CVE-2023-22914, CVSS 7.2, hoch; CVE-2023-22915, CVSS 7.5, hoch; CVE-2023-22916, CVSS 8.1, hoch; CVE-2023-22917, CVSS 7.5, hoch; CVE-2023-22918, CVSS 6.5, middle). The ZLD version 5.36 for Zyxel ATP, USG Flex, URG Flex 50(W), USG 20(W)-VPN also fills these gaps, as well as hotfixes and firmware updates for numerous access points listed in the security notification.
In the last bug report, Zyxel names two vulnerabilities in the firewalls that the update to ZLG 5.36 for Zyxel ATP, USG Flex, USG Flex 50(W), USG 20(W)-VPN and VPN seals. A vulnerability narrowly misses the critical status, through which attackers who are logged on from the network can execute command line commands in the operating system of the firewalls (however, WAN access must have been activated beforehand) (CVE-2023-27991, CVSS 8.8, hoch). In addition, a cross-site scripting vulnerability was found in older software versions (CVE-2023-27990, CVSS 3.5, low).
The security notifications with further details can be found here:
IT managers should download and apply the available updates quickly to reduce the potential attack surface. Most recently, Zyxel reported vulnerabilities in NAS systems last fall. Attackers could have smuggled malicious code onto the devices through critical security gaps.
(dmk)
