Published: June 1, 2023

Overview

There are three critical vulnerabilities affecting multiple versions of Zyxel networking devices. Zyxel provides networking products like switches, routers and firewalls.

A critical unauthenticated OS command injection vulnerability (CVE-2023-28771 CVSS Score 9.8) is affecting multiple Zyxel networking devices. Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

Two vulnerabilities – A buffer overflow vulnerability (CVE-2023-33009 CVSS score 9.8) in the notification function, and a buffer overflow vulnerability (CVE-2023-33010 CVSS Score 9.8)  in the ID processing function,   in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions.

Impact

All three critical vulnerabilities can be exploited to execute code remotely by the attacker. The specially crafted packets can result in exploitation of these vulnerabilities.  The exploits can also lead to Denial-of-Service situation where the device stops responding.

Applicable Versions

The impacted devices and the versions of their firmware are given below:

FirmwareAffected Versions
Zyxel ZyWALL/USG series4.60 to 4.73 Patch1
VPN series4.60 to 5.35 Patch1
USG FLEX series4.60 to 5.35 Patch1
ATP series4.60 to 5.35 Patch1

Mitigations and Workarounds

Zyxel has released patches for these vulnerabilities for different Zyxel devices and has recommended these patches to be installed immediately.

FirmwareAffected VersionsPatched Versions
Zyxel ZyWALL/USG series4.60 to 4.73 Patch14.73 Patch2
VPN series4.60 to 5.35 Patch15.36 Patch2
USG FLEX series4.60 to 5.35 Patch15.36 Patch2
ATP series4.60 to 5.35 Patch15.36 Patch2

Best Practices

To detect the vulnerability, it is advisable to run vulnerability scanning like that available with Netsurion Vulnerability Management and perform automated OS, application, and firmware patch management in the Zyxel devices.

Netsurion Detection and Response

Netsurion’s vulnerability management system will detect the vulnerabilities: CVE-2023-28771, CVE-2023-33009, CVE-2023-33010 using Netsurion’s vulnerability scanner. This is for the customers who have subscribed to the vulnerability detection service with Netsurion.


References

  1. https://www.rapid7.com/blog/post/2023/05/31/etr-widespread-exploitation-of-zyxel-network-devices/
  2. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
  3. https://nvd.nist.gov/vuln/detail/CVE-2023-28771
  4. https://nvd.nist.gov/vuln/detail/CVE-2023-33009
  5. https://nvd.nist.gov/vuln/detail/CVE-2023-33010
  6. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls
  7. https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-vulnerabilities-in-firewall-and-vpn-devices/