See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community
Zyxel security advisory for multiple vulnerabilities of firewalls, AP controllers, and APs
Zyxel_Jason
Posts: 411 
Zyxel Employee
Zyxel Employee
CVE: CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, CVE-2022-0910
Summary
Zyxel is aware of multiple vulnerabilities reported by security consultancies and advises users to install the applicable firmware updates for optimal protection.
What is the vulnerability?
CVE-2022-0734
A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.
CVE-2022-26531
Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.
CVE-2022-26532
A command injection vulnerability in the "packet-trace" CLI command of some firewall, AP controller, and AP versions could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.
CVE-2022-0910
An authentication bypass
vulnerability caused by the lack of a proper access control mechanism has been
found in the CGI program of some firewall versions. The flaw could allow an
attacker to downgrade from two-factor authentication to one-factor authentication
via an IPsec VPN client.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the CVEs, as shown in the tables below.
Table 1. Firewalls affected by
CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, and CVE-2022-0910
|
Firewall |
Affected version |
Patch availability |
|||
|
CVE-2022-0734 |
CVE-2022-26531 |
CVE-2022-26532 |
CVE-2022-0910 |
||
|
USG/ZyWALL |
ZLD V4.35~V4.70 |
ZLD V4.09~V4.71 |
ZLD V4.09~V4.71 |
ZLD V4.32~V4.71 |
ZLD V4.72 |
|
USG FLEX |
ZLD V4.50~V5.20 |
ZLD V4.50~V5.21 |
ZLD V4.50~V5.21 |
ZLD V4.50~V5.21 |
ZLD V5.30 |
|
ATP |
ZLD V4.35~V5.20 |
ZLD V4.32~V5.21 |
ZLD V4.32~V5.21 |
ZLD V4.32~V5.21 |
ZLD V5.30 |
|
VPN |
ZLD V4.35~V5.20 |
ZLD V4.30~V5.21 |
ZLD V4.30~V5.21 |
ZLD V4.32~V5.21 |
ZLD V5.30 |
|
NSG |
Not affected |
V1.00~V1.33 Patch 4 |
V1.00~V1.33 Patch 4 |
Not affected |
V1.33 Patch 5* |
*Available in middle of Jun.
Table 2. AP controllers affected by CVE-2022-26531 and CVE-2022-26532
|
AP Controller |
Affected version |
Patch availability |
|
CVE-2022-26531 and CVE-2022-26532 |
||
|
NXC2500 |
6.10(AAIG.3) and earlier |
Hotfix by request** |
|
NXC5500 |
6.10(AAOS.3) and earlier |
Hotfix by request** |
Table 3. APs affected by CVE-2022-26531 and CVE-2022-26532
|
AP |
Affected version |
Patch availability |
|
CVE-2022-26531 and CVE-2022-26532 |
||
|
NAP203 |
6.25(ABFA.7) and earlier |
6.25(ABFA.8) |
|
NAP303 |
6.25(ABEX.7) and earlier |
6.25(ABEX.8) |
|
NAP353 |
6.25(ABEY.7) and earlier |
6.25(ABEY.8) |
|
NWA50AX |
6.25(ABYW.5) and earlier |
6.25(ABYW.8) |
|
NWA55AXE |
6.25(ABZL.5) and earlier |
6.25(ABZL.8) |
|
NWA90AX |
6.27(ACCV.2) and earlier |
6.27(ACCV.3) |
|
NWA110AX |
6.30(ABTG.2) and earlier |
6.30(ABTG.3) |
|
NWA210AX |
6.30(ABTD.2) and earlier |
6.30(ABTD.3) |
|
NWA1123-AC-HD |
6.25(ABIN.6) and earlier |
6.25(ABIN.8) |
|
NWA1123-AC-PRO |
6.25(ABHD.7) and earlier |
6.25(ABHD.8) |
|
NWA1123ACv3 |
6.30(ABVT.2) and earlier |
6.30(ABVT.3) |
|
NWA1302-AC |
6.25(ABKU.6) and earlier |
6.25(ABKU.8) |
|
NWA5123-AC-HD |
6.25(ABIM.6) and earlier |
6.25(ABIM.8) |
|
WAC500H |
6.30(ABWA.2) and earlier |
6.30(ABWA.3) |
|
WAC500 |
6.30(ABVS.2) and earlier |
6.30(ABVS.3) |
|
WAC5302D-S |
6.10(ABFH.10) and earlier |
Hotfix by request** |
|
WAC5302D-Sv2 |
6.25(ABVZ.6) and earlier |
6.25(ABVZ.8) |
|
WAC6103D-I |
6.25(AAXH.7) and earlier |
6.25(AAXH.8) |
|
WAC6303D-S |
6.25(ABGL.6) and earlier |
6.25(ABGL.8) |
|
WAC6502D-E |
6.25(AASD.7) and earlier |
6.25(AASD.8) |
|
WAC6502D-S |
6.25(AASE.7) and earlier |
6.25(AASE.8) |
|
WAC6503D-S |
6.25(AASF.7) and earlier |
6.25(AASF.8) |
|
WAC6553D-E |
6.25(AASG.7) and earlier |
6.25(AASG.8) |
|
WAC6552D-S |
6.25(ABIO.7) and earlier |
6.25(ABIO.8) |
|
WAX510D |
6.30(ABTF.2) and earlier |
6.30(ABTF.3) |
|
WAX610D |
6.30(ABTE.2) and earlier |
6.30(ABTE.3) |
|
WAX630S |
6.30(ABZD.2) and earlier |
6.30(ABZD.3) |
|
WAX650S |
6.30(ABRM.2) and earlier |
6.30(ABRM.3) |
**Please reach out to your local Zyxel support team for the file.
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Acknowledgments and commentary
Thanks to the following security consultancies for reporting the issues to us:
- Riccardo Krauter at Soter IT Security for CVE-2022-0734
- HN Security for CVE-2022-26531 and CVE-2022-26532
- Ascend PC for CVE-2022-0910
Revision history
2022-05-24: Initial release
2022-05-27: Updated NSG’s patch schedule
Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community
1
Comments
-
The date firmware for NXC2500, NXC5500, and WAC5302D-S is ready.
Please download the file from the below link:
Zyxel Nebula Support
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight