Zyxel Releases Patches for Multiple Vulnerabilities Affecting Firewalls and Access Points

Summary

Zyxel has addressed multiple vulnerabilities in their firewalls and access points, including issues such as improper input validation, cross-site scripting, buffer overflow, and improper privilege management. These vulnerabilities could lead to unauthorized access, execution of malicious scripts, denial-of-service attacks, and manipulation of system files. Zyxel has released patches for the affected versions, and users are strongly advised to install these patches for optimal protection. Detailed information regarding the vulnerable versions and patch availability can be found in the provided tables. Users can also seek assistance or further information from Zyxel’s support team or community.

Key Takeaways

  • Zyxel has identified and addressed vulnerabilities in firewalls and access points.
  • Vulnerabilities include improper input validation, cross-site scripting, buffer overflow, and improper privilege management.
  • Exploiting these vulnerabilities can result in unauthorized access, execution of malicious scripts, denial-of-service attacks, and manipulation of system files.
  • Patches have been released for the affected versions of firewalls and access points.
  • Installing the patches is highly recommended to ensure device security.
  • Tables provide a comprehensive overview of vulnerable versions and corresponding patch availability.
  • Additional support and information can be obtained from Zyxel’s support team or community resources.

CVEs: CVE-2023-35136CVE-2023-35139CVE-2023-37925CVE-2023-37926CVE-2023-4397CVE-2023-4398CVE-2023-5650CVE-2023-5797CVE-2023-5960

What are the vulnerabilities?

CVE-2023-35136

An improper input validation vulnerability in the “Quagga” package of some firewall versions could allow an authenticated local attacker to access configuration files on an affected device.

CVE-2023-35139

A cross-site scripting (XSS) vulnerability in the CGI program of some firewall versions could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.

CVE-2023-37925

An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access system files on an affected device.

CVE-2023-37926

A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.

CVE-2023-4397

A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker with administrator privileges to cause DoS conditions by executing the CLI command with crafted strings on an affected device.

CVE-2023-4398

An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions on an affected device by sending a crafted IKE packet.

CVE-2023-5650

An improper privilege management vulnerability in the ZySH of some firewall versions could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.

CVE-2023-5797

An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access the administrator’s logs on an affected device.

CVE-2023-5960

An improper privilege management vulnerability in the hotspot feature of some firewall versions could allow an authenticated local attacker to access the system files on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Table 1. Firewalls affected by CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960

Firewall seriesAffected versionPatch availability
CVE-2023-35136CVE-2023-35139CVE-2023-37925CVE-2023-37926CVE-2023-4397CVE-2023-4398CVE-2023-5650CVE-2023-5797CVE-2023-5960
ATPZLD V4.32 to V5.37ZLD V5.10 to V5.37ZLD V4.32 to V5.37ZLD V4.32 to V5.37ZLD V5.37ZLD V4.32 to V5.37ZLD V4.32 to V5.37ZLD V4.32 to V5.37Not affectedZLD V5.37 Patch 1
USG FLEXZLD V4.50 to V5.37ZLD V5.00 to V5.37ZLD V4.50 to V5.37ZLD V4.50 to V5.37ZLD V5.37ZLD V4.50 to V5.37ZLD V4.50 to V5.37ZLD V4.50 to V5.37ZLD V4.50 to V5.37ZLD V5.37 Patch 1
USG FLEX 50(W) / USG20(W)-VPNZLD V4.16 to V5.37ZLD V5.10 to V5.37ZLD V4.16 to V5.37ZLD V4.16 to V5.37ZLD V5.37ZLD V4.16 to V5.37ZLD V4.16 to V5.37ZLD V4.16 to V5.37Not affectedZLD V5.37 Patch 1
VPNZLD V4.30 to V5.37ZLD V5.00 to V5.37ZLD V4.30 to V5.37ZLD V4.30 to V5.37Not affectedZLD V4.30 to V5.37ZLD V4.30 to V5.37ZLD V4.30 to V5.37ZLD V4.30 to V5.37ZLD V5.37 Patch 1

Table 2. APs affected by CVE-2023-37925 and CVE-2023-5797

AP modelAffected versionPatch availability
NWA50AX6.29(ABYW.2) and earlierHotfix by request*
Standard patch 6.80(ABYW.0) in July 2024
NWA50AX-PRO6.65(ACGE.1) and earlierHotfix by request*
Standard patch 6.80(ACGE.0) in July 2024
NWA55AXE6.29(ABZL.2) and earlierHotfix by request*
Standard patch 6.80(ABZL.0) in July 2024
NWA90AX6.29(ACCV.2) and earlierHotfix by request*
Standard patch 6.80(ACCV.0) in July 2024
NWA90AX-PRO6.65(ACGF.1) and earlierHotfix by request*
Standard patch 6.80(ACGF.0) in July 2024
NWA110AX6.65(ABTG.1) and earlierHotfix by request*
Standard patch 6.70(ABTG.0) in January 2024
NWA210AX6.65(ABTD.1) and earlierHotfix by request*
Standard patch 6.70(ABTD.0) in January 2024
NWA220AX-6E6.65(ACCO.1) and earlierHotfix by request*
Standard patch 6.70(ACCO.0) in January 2024
NWA1123ACv36.65(ABVT.1) and earlierHotfix by request*
Standard patch 6.70(ABVT.0) in January 2024
WAC5006.65(ABVS.1) and earlierHotfix by request*
Standard patch 6.70(ABVS.0) in January 2024
WAC500H6.65(ABWA.1) and earlierHotfix by request*
Standard patch 6.70(ABWA.0) in January 2024
WAX300H6.60(ACHF.1) and earlierHotfix by request*
Standard patch 6.70(ACHF.0) in January 2024
WAX510D6.65(ABTF.1) and earlierHotfix by request*
Standard patch 6.70(ABTF.0) in January 2024
WAX610D6.65(ABTE.1) and earlierHotfix by request*
Standard patch 6.70(ABTE.0) in January 2024
WAX620D-6E6.65(ACCN.1) and earlierHotfix by request*
Standard patch 6.70(ACCN.0) in January 2024
WAX630S6.65(ABZD.1) and earlierHotfix by request*
Standard patch 6.70(ABZD.0) in January 2024
WAX640S-6E6.65(ACCM.1) and earlierHotfix by request*
Standard patch 6.70(ACCM.0) in January 2024
WAX650S6.65(ABRM.1) and earlierHotfix by request*
Standard patch 6.70(ABRM.0) in January 2024
WAX655E6.65(ACDO.1) and earlierHotfix by request*
Standard patch 6.70(ACDO.0) in January 2024
WBE660S6.65(ACGG.1) and earlierHotfix by request*
Standard patch 6.70(ACGG.0) in January 2024