Zyxel security advisory for DoS vulnerability of switches

Zyxel_May
Zyxel_May Posts: 93
First Comment Third Anniversary
 Ally Member
edited January 31 in Security Advisories

CVE: CVE-2022-43393

Summary

Zyxel has released patches for some switches affected by a denial-of-service (DoS) vulnerability. Users are advised to install them for optimal protection.

What is the vulnerability?

An improper check for unusual or exceptional conditions in the HTTP request processing function of some Zyxel switch versions could allow an attacker to corrupt the contents of the memory and result in a DoS condition on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Since switches are mostly deployed in a local area network (LAN) environment, most potential DoS attacks can be reduced by firewalls or security gateways. Furthermore, for optimal protection, we suggest that users set more stringent management rules for remote access to their switches, such as by restricting HTTP or HTTPS requests to remotely access the device management interface or by limiting remote access by specific IP addresses.

Affected model

Affected version

Patch availability

GS1350-6HP

V4.70(ABPI.4)C0

V4.70(ABPI.5)C0

GS1350-12HP

V4.70(ABPJ.4)C0

V4.70(ABPJ.5)C0

GS1350-18HP

V4.70(ABPK.4)C0

V4.70(ABPK.5)C0

GS1350-26HP

V4.70(ABPL.4)C0

V4.70(ABPL.5)C0

GS1915-8

V4.70(ACAP.2)C0

V4.70(ACAP.3)C0

GS1915-8EP

V4.70(ACAQ.2)C0

V4.70(ACAQ.3)C0

GS1915-24E

V4.70(ACDR.2)C0

V4.70(ACDR.3)C0

GS1915-24EP

V4.70(ACDS.2)C0

V4.70(ACDS.3)C0

GS1920-8HPv2

V4.70(ABKZ.7)C0

V4.70(ABKZ.8)C0

GS1920-24v2

V4.70(ABMH.7)C0

V4.70(ABMH.8)C0

GS1920-48v2

V4.70(ABMJ.7)C0

V4.70(ABMJ.8)C0

GS1920-24HPv2

V4.70(ABMI.7)C0

V4.70(ABMI.8)C0

GS1920-48HPv2

V4.70(ABMK.7)C0

V4.70(ABMK.8)C0

GS2220-10

V4.70(ABRO.5)C0

V4.70(ABRO.6)C0

GS2220-28

V4.70(ABRQ.5)C0

V4.70(ABRQ.6)C0

GS2220-50

V4.70(ABRS.5)C0

V4.70(ABRS.6)C0

GS2220-10HP

V4.70(ABRP.5)C0

V4.70(ABRP.6)C0

GS2220-28HP

V4.70(ABRR.5)C0

V4.70(ABRR.6)C0

GS2220-50HP

V4.70(ABRT.5)C0

V4.70(ABRT.6)C0

XGS1930-28

V4.70(ABHT.3)C0

V4.70(ABHT.5)C0

XGS1930-28HP

V4.70(ABHS.3)C0

V4.70(ABHS.5)C0

XGS1930-52

V4.70(ABHU.3)C0

V4.70(ABHU.5)C0

XGS1930-52HP

V4.70(ABHV.3)C0

V4.70(ABHV.5)C0

XS1930-10

V4.70(ABQE.5)C0

V4.80(ABQE.0)C0

XS1930-12HP

V4.70(ABQF.5)C0

V4.80(ABQF.0)C0

XS1930-12F

V4.70(ABZV.5)C0

V4.80(ABZV.0)C0

XGS2210-28

V4.70(AAZJ.1)C0

V4.70(AAZJ.2)C0

XGS2210-52

V4.70(AAZK.1)C0

V4.70(AAZK.2)C0

XGS2210-28HP

V4.70(AAZL.1)C0

V4.70(AAZL.2)C0

XGS2210-52HP

V4.70(AAZM.1)C0

V4.70(AAZM.2)C0

XGS2220-30

V4.80(ABXN.0)C0

V4.80(ABXN.1)C0

XGS2220-30HP

V4.80(ABXO.0)C0

V4.80(ABXO.1)C0

XGS2220-30F

V4.80(ABYE.0)C0

V4.80(ABYE.1)C0

XGS2220-54

V4.80(ABXP.0)C0

V4.80(ABXP.1)C0

XGS2220-54HP

V4.80(ABXQ.0)C0

V4.80(ABXQ.1)C0

XGS2220-54FP

V4.80(ACCE.0)C0

V4.80(ACCE.1)C0

XGS4600-32

V4.70(ABBH.3)C0

V4.70(ABBH.4)C0

XGS4600-32F

V4.70(ABBI.3)C0

V4.70(ABBI.4)C0

XGS4600-52F

V4.70(ABIK.3)C0

V4.70(ABIK.4)C0

XMG1930-30

V4.70(ACAR.0)

V4.80(ACAR.0)

XMG1930-30HP

V4.70(ACAS.0)

V4.80(ACAS.0)

XS3800-28

V4.80(ABML.0)C0

V4.80(ABML.1)C0

MGS3500-24S

4.10(ABBR.1)C0

4.10(ABBR.2)C0*

MGS3520-28

4.10(AATN.4)C0

4.10(AATN.5)C0*

MGS3520-28

4.10(ABQM.1)C0

4.10(ABQM.2)C0*

MGS3520-28F

4.10(AATM.3)C0

4.10(AATM.4)C0*

MGS3530-28

4.10(ACEM.1)C0

4.10(ACEM.2)C0*

MGS3530-28

4.10(ACFJ.0)C0

4.10(ACFJ.1)C0*

*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgement

Thanks to Nikita Abramov from Positive Technologies for reporting the issue to us.

Revision history

2023-1-11: Initial release


Comments

  • Arif
    Arif Posts: 2
    First Comment

    XGS2220-30hp switch is this Physically stack able?

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,165
    Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
     Zyxel Employee

    Hi @Arif,

    Thanks for your interest in XGS2220 stacking.
    It does provide the stacking function, but it needs firmware support that will be available in August.

    Zyxel Melen
  • Arif
    Arif Posts: 2
    First Comment

    Hi Melen

    Thanks for your confirmation, but we are Partner of zyxel networks.so we need urgent update firmware as early possible for project completion. Is it Possible ?

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,165
    Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
     Zyxel Employee

    Hi @Arif,

    We have received the same request from your colleagues and have some questions we would like to clarify. Let's deal with this request via the ticket.

    Zyxel Melen