Zyxel security advisory for multiple vulnerabilities of firewalls and APs

Zyxel_May · April 2023

CVE:CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917, CVE-2023-22918

Summary

Zyxel is aware of multiple vulnerabilities in its firewalls and access points (AP) as reported by Positive Technologies and advises users to install the applicable firmware updates for optimal protection.

What are the vulnerabilities?

CVE-2023-22913

A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of some firewall versions could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22914

A path traversal vulnerability in the “account_print.cgi” CGI program of some firewall versions could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22915

A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22916

The configuration parser of some firewall versions fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22917

A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of some firewall versions could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22918

A post-authentication information exposure vulnerability in the CGI program of some firewall and AP versions could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. Note that WAN access is disabled by default on the firewall and AP devices.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Table 1. Firewalls affected by CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917, and CVE-2023-22918

Firewall series	Affected version						Patch availability
	CVE-2023-22913	CVE-2023-22914	CVE-2023-22915	CVE-2023-22916	CVE-2023-22917	CVE-2023-22918
ATP	Not affected	Not affected	Not affected	ZLD V5.10~V5.35	ZLD V5.10~V5.32	ZLD V4.32~V5.35	ZLD V5.36
USG FLEX	ZLD V4.50~V5.35	ZLD V4.50~V5.35	ZLD V4.50~V5.35	ZLD V5.00~V5.35	ZLD V5.00~V5.32	ZLD V4.50~V5.35	ZLD V5.36
USG FLEX 50(W) / USG20(W)-VPN	Not affected	Not affected	ZLD V4.30~V5.35	ZLD V5.10~V5.35	ZLD V5.10~V5.32	ZLD V4.16~V5.35	ZLD V5.36
VPN	ZLD V4.30~V5.35	ZLD V4.30~V5.35	ZLD V4.30~V5.35	ZLD V5.00~V5.35	ZLD V5.00~V5.35	ZLD V4.30~V5.35	ZLD V5.36

Table 2. APs affected by CVE-2023-22918

AP model	Affected version	Patch availability
NAP203	6.28(ABFA.0) and earlier	Hotfix by request*
NAP303	6.28(ABEX.0) and earlier	Hotfix by request*
NAP353	6.28(ABEY.0) and earlier	Hotfix by request*
NWA110AX	6.50(ABTG.2) and earlier	6.55(ABTG.1)
NWA1123-AC-PRO	6.28(ABHD.0) and earlier	Hotfix by request*
NWA1123ACv3	6.50(ABVT.0) and earlier	6.55(ABVT.1)
NWA210AX	6.50(ABTD.2) and earlier	6.55(ABTD.1)
NWA220AX-6E	6.50(ACCO.2) and earlier	6.55(ACCO.1)
NWA50AX	6.29(ABYW.1) and earlier	Hotfix by request* Standard patch 6.29(ABYW.2) in Oct. 2023
NWA50AX-PRO	6.50(ACGE.0) and earlier	6.55(ACGE.1)
NWA5123-AC HD	6.25(ABIM.9) and earlier	Hotfix by request*
NWA55AXE	6.29(ABZL.1) and earlier	Hotfix by request* Standard patch 6.29(ABZL.2) in Oct. 2023
NWA90AX	6.29(ACCV.1) and earlier	Hotfix by request* Standard patch 6.29(ACCV.2) in Oct. 2023
NWA90AX-PRO	6.50(ACGF.0) and earlier	6.55(ACGF.1)
WAC500	6.50(ABVS.0) and earlier	6.55(ABVS.1)
WAC500H	6.50(ABWA.0) and earlier	6.55(ABWA.1)
WAC5302D-Sv2	6.25(ABVZ.9) and earlier	Hotfix by request*
WAC6103D-I	6.28(AAXH.0) and earlier	Hotfix by request*
WAC6303D-S	6.25(ABGL.9) and earlier	Hotfix by request*
WAC6502D-S	6.28(AASE.0) and earlier	Hotfix by request*
WAC6503D-S	6.28(AASF.0) and earlier	Hotfix by request*
WAC6552D-S	6.28(ABIO.0) and earlier	Hotfix by request*
WAC6553D-E	6.28(AASG.0) and earlier	Hotfix by request*
WAX510D	6.50(ABTF.2) and earlier	6.55(ABTF.1)
WAX610D	6.50(ABTE.2) and earlier	6.55(ABTE.1)
WAX620D-6E	6.50(ACCN.2) and earlier	6.55(ACCN.1)
WAX630S	6.50(ABZD.2) and earlier	6.55(ABZD.1)
WAX640S-6E	6.50(ACCM.2) and earlier	6.55(ACCM.1)
WAX650S	6.50(ABRM.2) and earlier	6.55(ABRM.1)
WAX655E	6.50(ACDO.2) and earlier	6.55(ACDO.1)

*Please reach out to your local Zyxel support team for the file.

If an on-market product is not listed above, it is NOT affected.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgement

Thanks to Nikita Abramov from Positive Technologies for reporting the issues to us.

Revision history

2023-4-25: Initial release

2023-4-27: Updated the list of affected APs and the patch schedule for NWA50AX and NWA90AX