Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers

Zyxel_May
Zyxel_May Posts: 122  Ally Member
First Anniversary First Comment
edited July 2023 in Security Advisories

CVEs: CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, CVE-2023-34141

Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2023-28767

The configuration parser fails to sanitize user-controlled input in some firewall versions. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.

CVE-2023-33011

A format string vulnerability in some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled.

CVE-2023-33012

A command injection vulnerability in the configuration parser of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

CVE-2023-34138

A command injection vulnerability in the hotspot management feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance.

CVE-2023-34139

A command injection vulnerability in the Free Time WiFi hotspot feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device.

CVE-2023-34140

A buffer overflow vulnerability in some firewall and WLAN controller versions could allow an unauthenticated, LAN-based attacker to cause denial of service (DoS) conditions by sending a crafted request to the CAPWAP daemon.

CVE-2023-34141

A command injection vulnerability in the access point (AP) management feature of some firewall and WLAN controller versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the managed AP list in advance.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Table 1. Firewalls affected by CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, and CVE-2023-34141

Firewall

series

Affected

version

Patch

availability

CVE-2023-28767

CVE-2023-33011

CVE-2023- 33012

CVE-2023-34138

CVE-2023-34139

CVE-2023-34140

CVE-2023-34141

ATP

ZLD V5.10 to V5.36

ZLD V5.10 to V5.36 Patch 2

ZLD V5.10 to V5.36 Patch 2

ZLD V4.60 to V5.36 Patch 2

Not affected

ZLD V4.32 to V5.36 Patch 2

ZLD V5.00 to V5.36 Patch 2

ZLD V5.37

USG FLEX

ZLD V5.00 to V5.36

ZLD V5.00 to V5.36 Patch 2

ZLD V5.00 to V5.36 Patch 2

ZLD V4.60 to V5.36 Patch 2

ZLD V4.50 to V5.36 Patch 2

ZLD V4.50 to V5.36 Patch 2

ZLD V5.00 to V5.36 Patch 2

ZLD V5.37

USG FLEX 50(W) /

USG20(W)-VPN

ZLD V5.10 to V5.36

ZLD V5.10 to V5.36 Patch 2

ZLD V5.10 to V5.36 Patch 2

ZLD V4.60 to V5.36 Patch 2

Not affected

ZLD V4.16 to V5.36 Patch 2

ZLD V5.00 to V5.36 Patch 2

ZLD V5.37

VPN

ZLD V5.00 to V5.36

ZLD V5.00 to V5.36 Patch 2

ZLD V5.00 to V5.36 Patch 2

ZLD V4.60 to V5.36 Patch 2

ZLD V4.20 to V5.36 Patch 2

ZLD V4.30 to V5.36 Patch 2

ZLD V5.00 to V5.36 Patch 2

ZLD V5.37

Table 2. WLAN controllers affected by CVE-2023-34140 and CVE-2023-34141

WLAN controller model

Affected version

Patch availability

NXC2500

V6.10(AAIG.0) to V6.10(AAIG.3)

Hotfix by request*

NXC5500

V6.10(AAOS.0) to V6.10(AAOS.4)

Hotfix by request*

*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s Communityfor further information or assistance.

Acknowledgment

Thanks to the following security consultancies:

  • atdog from TRAPA Security for CVE-2023-28767
  • atdog and Lays from TRAPA Security for CVE-2023-33011 and CVE-2023-33012
  • Lê Hữu Quang Linh from STAR Labs SG for CVE-2023-34138, CVE-2023-34139, and CVE-2023-34141
  • Lê Hữu Quang Linh and Nguyễn Hoàng Thạch from STAR Labs SG for CVE-2023-34140

Revision history

2023-7-18: Initial release