Multiple vulnerabilitiesin Zyxel firewalls and APs



Risk Medium
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2023-22913
CVE-2023-22914
CVE-2023-22915
CVE-2023-22916
CVE-2023-22917
CVE-2023-22918
CWE-ID CWE-77
CWE-22
CWE-119
CWE-20
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
USG FLEX series
Client/Desktop applications / Antivirus software/Personal firewalls

VPN series
Client/Desktop applications / Antivirus software/Personal firewalls

USG FLEX 50W
Hardware solutions / Firmware

USG20W-VPN
Hardware solutions / Firmware

NWA5123-AC HD
Hardware solutions / Firmware

WAC5302D-Sv2
Hardware solutions / Firmware

WAC6103D-I
Hardware solutions / Firmware

WAC6303D-S
Hardware solutions / Firmware

WAC6502D-E
Hardware solutions / Firmware

WAC6502D-S
Hardware solutions / Firmware

WAC6503D-S
Hardware solutions / Firmware

WAC6552D-S
Hardware solutions / Firmware

WAC6553D-E
Hardware solutions / Firmware

NWA110AX
Hardware solutions / Firmware

NWA1123ACv3
Hardware solutions / Firmware

NWA210AX
Hardware solutions / Firmware

WAC500
Hardware solutions / Firmware

WAC500H
Hardware solutions / Firmware

WAX510D
Hardware solutions / Firmware

WAX610D
Hardware solutions / Firmware

WAX650S
Hardware solutions / Firmware

ATP series
Hardware solutions / Routers for home users

NAP203
Hardware solutions / Routers & switches, VoIP, GSM, etc

NAP303
Hardware solutions / Routers & switches, VoIP, GSM, etc

NAP353
Hardware solutions / Routers & switches, VoIP, GSM, etc

NWA1123-AC-PRO
Hardware solutions / Routers & switches, VoIP, GSM, etc

NWA220AX-6E
Hardware solutions / Routers & switches, VoIP, GSM, etc

NWA50AX
Hardware solutions / Routers & switches, VoIP, GSM, etc

NWA50AX-PRO
Hardware solutions / Routers & switches, VoIP, GSM, etc

NWA90AX
Hardware solutions / Routers & switches, VoIP, GSM, etc

NWA90AX-PRO
Hardware solutions / Routers & switches, VoIP, GSM, etc

WAX620D-6E
Hardware solutions / Routers & switches, VoIP, GSM, etc

WAX630S
Hardware solutions / Routers & switches, VoIP, GSM, etc

WAX640S-6E
Hardware solutions / Routers & switches, VoIP, GSM, etc

WAX655E
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor ZyXEL Communications Corp.

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Command Injection

EUVDB-ID: #VU75462

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22913

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the "account_operator.cgi" CGI program. A remote user can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

USG FLEX series: 4.50 - 5.35

VPN series: 4.30 - 5.35

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Path traversal

EUVDB-ID: #VU75463

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22914

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the "account_print.cgi" CGI program. A remote administrator can send a specially crafted HTTP request and read arbitrary files on the system, leading to arbitrary OS commands execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

USG FLEX series: 4.50 - 5.35

VPN series: 4.30 - 5.35

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU75464

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22915

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the "fbwifi_forward.cgi" CGI program. A remote attacker can send a specially crafted HTTP request, trigger memory corruption and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

USG FLEX series: 4.50 - 5.35

USG FLEX 50W: 4.30 - 5.35

USG20W-VPN: 4.30 - 5.35

VPN series: 4.30 - 5.35

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU75465

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22916

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the configuration parser. A remote attacker can trick an administrator to switch the management mode to the cloud mode and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 5.10 - 5.35

USG FLEX series: 5.00 - 5.35

USG FLEX 50W: 5.10 - 5.35

USG20W-VPN: 5.10 - 5.35

VPN series: 5.00 - 5.35

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU75466

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22917

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the "sdwan_iface_ipc" binary. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 5.10 - 5.35

USG FLEX series: 5.00 - 5.35

USG FLEX 50W: 5.10 - 5.35

USG20W-VPN: 5.10 - 5.35

VPN series: 5.00 - 5.35

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information disclosure

EUVDB-ID: #VU75467

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22918

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the CGI program. A remote user can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 4.32 - 5.35

USG FLEX series: 4.50 - 5.35

USG FLEX 50W: 4.16 - 5.35

USG20W-VPN: 4.16 - 5.35

VPN series: 4.30 - 5.35

NAP203: 6.28(ABFA.0)

NAP303: 6.28(ABEX.0)

NAP353: 6.28(ABEY.0)

NWA1123-AC-PRO: 6.28(ABHD.0)

NWA5123-AC HD: 6.25(ABIM.9)

WAC5302D-Sv2: 6.25(ABVZ.9)

WAC6103D-I: 6.28(AAXH.0)

WAC6303D-S: 6.25(ABGL.9)

WAC6502D-E: 6.28(AASD.0)

WAC6502D-S: 6.28(AASE.0)

WAC6503D-S: 6.28(AASF.0)

WAC6552D-S: 6.28(ABIO.0)

WAC6553D-E: 6.28(AASG.0)

NWA110AX: 6.50(ABTG.2)

NWA1123ACv3: 6.50(ABVT.0)

NWA210AX: 6.50(ABTD.2)

NWA220AX-6E: 6.50(ACCO.2)

NWA50AX: 6.29(ABYW.1)

NWA50AX-PRO: 6.50(ACGE.0)

NWA90AX: 6.29(ACCV.1)

NWA90AX-PRO: 6.50(ACGF.0)

WAC500: 6.50(ABVS.0)

WAC500H: 6.50(ABWA.0)

WAX510D: 6.50(ABTF.2)

WAX610D: 6.50(ABTE.2)

WAX620D-6E: 6.50(ACCN.2)

WAX630S: 6.50(ABZD.2)

WAX640S-6E: 6.50(ACCM.2)

WAX650S: 6.50(ABRM.2)

WAX655E: 6.50(ACDO.2)

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###