Zyxel, a prominent provider of networking solutions, has issued critical patches addressing a significant vulnerability within its firewall products that could be leveraged for remote code execution by potential attackers.
This vulnerability, identified as CVE-2023-28771, has been assigned a CVSS score of 9.8, indicating a critical severity level. The flaw was discovered and reported by researchers at TRAPA Security.
Zyxel’s advisory, published on April 25, 2023, outlines that improper handling of error messages in certain firewall versions allows unauthenticated attackers to remotely execute operating system commands. This is achieved through the transmission of specially crafted packets to affected devices.
The list of affected products includes several models: the ATP series (versions ZLD V4.60 to V5.35, with corrections made in ZLD V5.36), USG FLEX (also versions ZLD V4.60 to V5.35, patched in ZLD V5.36), VPN devices (versions ZLD V4.60 to V5.35, resolved in ZLD V5.36), along with ZyWALL and USG models (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1).
In addition to this, Zyxel has addressed another critical post-authentication command injection vulnerability affecting certain firewall versions (CVE-2023-27991, CVSS score: 8.8). This vulnerability could enable authenticated attackers to execute operating system commands remotely and affects devices within the ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN lines, all of which were also rectified in the ZLD V5.36 update.
Furthermore, Zyxel has rolled out solutions for five other high-severity vulnerabilities and one medium-severity issue affecting multiple firewall and access point (AP) devices (CVE-2023-22913 to CVE-2023-22918). The risks associated with these flaws include potential code execution and denial-of-service (DoS) conditions.
The research and reporting of these vulnerabilities have been attributed to Nikita Abramov from Positive Technologies, who has also previously uncovered critical issues in various Zyxel devices, including command injection and buffer overflow vulnerabilities.
Among these, the highest severity flaw is identified as CVE-2022-43389, showing a CVSS score of 9.8, a buffer overflow vulnerability affecting 5G NR/4G LTE CPE devices. This flaw is particularly concerning as it does not require authentication for exploitation, enabling arbitrary code execution, which could allow an attacker full control over the device.
The implications of these vulnerabilities underscore the critical need for businesses to remain vigilant and proactive regarding cybersecurity. Zyxel’s recent disclosure serves as a reminder of the ever-evolving threat landscape, where vulnerabilities can expose devices to extensive risks. Implementing timely security updates and monitoring systems for potential intrusions are vital strategies in mitigating the associated risks.