Zyxel security advisory for multiple vulnerabilities of firewalls and APs

Options
Zyxel_May
Zyxel_May Posts: 129  Ally Member
First Anniversary First Comment
edited May 2023 in Security Advisories

CVE:CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917, CVE-2023-22918

Summary

Zyxel is aware of multiple vulnerabilities in its firewalls and access points (AP) as reported by Positive Technologies and advises users to install the applicable firmware updates for optimal protection.

What are the vulnerabilities?

CVE-2023-22913

A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of some firewall versions could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22914

A path traversal vulnerability in the “account_print.cgi” CGI program of some firewall versions could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22915

A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22916

The configuration parser of some firewall versions fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22917

A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of some firewall versions could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22918

A post-authentication information exposure vulnerability in the CGI program of some firewall and AP versions could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. Note that WAN access is disabled by default on the firewall and AP devices.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Table 1. Firewalls affected by CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917, and CVE-2023-22918

Firewall

series

Affected

version

Patch

availability

CVE-2023-22913

CVE-2023-22914

CVE-2023-22915

CVE-2023-22916

CVE-2023-22917

CVE-2023-22918

ATP

Not affected

Not affected

Not affected

ZLD V5.10~V5.35

ZLD V5.10~V5.32

ZLD V4.32~V5.35

ZLD V5.36

USG FLEX

ZLD V4.50~V5.35

ZLD V4.50~V5.35

ZLD V4.50~V5.35

ZLD V5.00~V5.35

ZLD V5.00~V5.32

ZLD V4.50~V5.35

ZLD V5.36

USG FLEX 50(W) /

USG20(W)-VPN

Not affected

Not affected

ZLD V4.30~V5.35

ZLD V5.10~V5.35

ZLD V5.10~V5.32

ZLD V4.16~V5.35

ZLD V5.36

VPN

ZLD V4.30~V5.35

ZLD V4.30~V5.35

ZLD V4.30~V5.35

ZLD V5.00~V5.35

ZLD V5.00~V5.35

ZLD V4.30~V5.35

ZLD V5.36

Table 2. APs affected by CVE-2023-22918

AP model

Affected version

Patch availability

NAP203

6.28(ABFA.0) and earlier

Hotfix by request*

NAP303

6.28(ABEX.0) and earlier

Hotfix by request*

NAP353

6.28(ABEY.0) and earlier

Hotfix by request*

NWA110AX

6.50(ABTG.2) and earlier

6.55(ABTG.1)

NWA1123-AC-PRO

6.28(ABHD.0) and earlier

Hotfix by request*

NWA1123ACv3

6.50(ABVT.0) and earlier

6.55(ABVT.1)

NWA210AX

6.50(ABTD.2) and earlier

6.55(ABTD.1)

NWA220AX-6E

6.50(ACCO.2) and earlier

6.55(ACCO.1)

NWA50AX

6.29(ABYW.1) and earlier

Hotfix by request*

Standard patch 6.29(ABYW.2) in Oct. 2023

NWA50AX-PRO

6.50(ACGE.0) and earlier

6.55(ACGE.1)

NWA5123-AC HD

6.25(ABIM.9) and earlier

Hotfix by request*

NWA55AXE

6.29(ABZL.1) and earlier

Hotfix by request*

Standard patch 6.29(ABZL.2) in Oct. 2023

NWA90AX

6.29(ACCV.1) and earlier

Hotfix by request*

Standard patch 6.29(ACCV.2) in Oct. 2023

NWA90AX-PRO

6.50(ACGF.0) and earlier

6.55(ACGF.1)

WAC500

6.50(ABVS.0) and earlier

6.55(ABVS.1)

WAC500H

6.50(ABWA.0) and earlier

6.55(ABWA.1)

WAC5302D-Sv2

6.25(ABVZ.9) and earlier

Hotfix by request*

WAC6103D-I

6.28(AAXH.0) and earlier

Hotfix by request*

WAC6303D-S

6.25(ABGL.9) and earlier

Hotfix by request*

WAC6502D-S

6.28(AASE.0) and earlier

Hotfix by request*

WAC6503D-S

6.28(AASF.0) and earlier

Hotfix by request*

WAC6552D-S

6.28(ABIO.0) and earlier

Hotfix by request*

WAC6553D-E

6.28(AASG.0) and earlier

Hotfix by request*

WAX510D

6.50(ABTF.2) and earlier

6.55(ABTF.1)

WAX610D

6.50(ABTE.2) and earlier

6.55(ABTE.1)

WAX620D-6E

6.50(ACCN.2) and earlier

6.55(ACCN.1)

WAX630S

6.50(ABZD.2) and earlier

6.55(ABZD.1)

WAX640S-6E

6.50(ACCM.2) and earlier

6.55(ACCM.1)

WAX650S

6.50(ABRM.2) and earlier

6.55(ABRM.1)

WAX655E

6.50(ACDO.2) and earlier

6.55(ACDO.1)

*Please reach out to your local Zyxel support team for the file.

If an on-market product is not listed above, it is NOT affected.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgement

Thanks to Nikita Abramov from Positive Technologies for reporting the issues to us.

Revision history

2023-4-25: Initial release

2023-4-27: Updated the list of affected APs and the patch schedule for NWA50AX and NWA90AX