Multiple vulnerabilities in Zyxel firewalls and WLAN controllers



| Updated: 2024-07-03
Risk Medium
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2023-28767
CVE-2023-33011
CVE-2023-33012
CVE-2023-34138
CVE-2023-34139
CVE-2023-34140
CVE-2023-34141
CWE-ID CWE-78
CWE-134
CWE-119
Exploitation vector Local network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software
ATP series
Hardware solutions / Routers for home users

USG FLEX series
Client/Desktop applications / Antivirus software/Personal firewalls

VPN series
Client/Desktop applications / Antivirus software/Personal firewalls

USG FLEX 50W
Hardware solutions / Firmware

USG20W-VPN
Hardware solutions / Firmware

Vendor ZyXEL Communications Corp.

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) OS Command Injection

EUVDB-ID: #VU78346

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28767

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 5.10 - 5.36

USG FLEX series: 5.00 - 5.36

USG FLEX 50W: 5.10 - 5.36

USG20W-VPN: 5.10 - 5.36

VPN series: 5.00 - 5.36

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Format string error

EUVDB-ID: #VU78347

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33011

CWE-ID: CWE-134 - Use of Externally-Controlled Format String

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a format string error. A remote attacker on the local network can supply a specially crafted input that contains format string specifiers and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 5.10 - 5.36 Patch 2

USG FLEX series: 5.00 - 5.36 Patch 2

USG FLEX 50W: 5.10 - 5.36 Patch 2

USG20W-VPN: 5.10 - 5.36 Patch 2

VPN series: 5.00 - 5.36 Patch 2

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) OS Command Injection

EUVDB-ID: #VU78348

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2023-33012

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 5.10 - 5.36 Patch 2

USG FLEX series: 5.00 - 5.36 Patch 2

USG FLEX 50W: 5.10 - 5.36 Patch 2

USG20W-VPN: 5.10 - 5.36 Patch 2

VPN series: 5.00 - 5.36 Patch 2

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

4) OS Command Injection

EUVDB-ID: #VU78349

Risk: Medium

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34138

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the hotspot management feature. A remote unauthenticated attacker on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 4.60 - 5.36 Patch 2

USG FLEX series: 4.60 - 5.36 Patch 2

USG FLEX 50W: 4.60 - 5.36 Patch 2

USG20W-VPN: 4.60 - 5.36 Patch 2

VPN series: 4.60 - 5.36 Patch 2

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) OS Command Injection

EUVDB-ID: #VU78350

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34139

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the Free Time WiFi hotspot feature. A remote unauthenticated attacker on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

USG FLEX series: 4.50 - 5.36 Patch 2

VPN series: 4.20 - 5.36 Patch 2

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU78351

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34140

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A remote attacker on the local network can trigger memory corruption and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 4.32 - 5.36 Patch 2

USG FLEX series: 4.50 - 5.36 Patch 2

USG FLEX 50W: 4.16 - 5.36 Patch 2

USG20W-VPN: 4.16 - 5.36 Patch 2

VPN series: 4.30 - 5.36 Patch 2

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) OS Command Injection

EUVDB-ID: #VU78352

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34141

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the access point (AP) management feature. A remote unauthenticated attacker on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ATP series: 5.00 - 5.36 Patch 2

USG FLEX series: 5.00 - 5.36 Patch 2

USG FLEX 50W: 5.00 - 5.36 Patch 2

USG20W-VPN: 5.00 - 5.36 Patch 2

VPN series: 5.00 - 5.36 Patch 2

CPE2.3 External links

http://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###