Zyxel security advisory for multiple vulnerabilities in firewalls and APs

Zyxel_May
Zyxel_May Posts: 167  Zyxel Employee
First Comment Fourth Anniversary

Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2023-35136

An improper input validation vulnerability in the “Quagga” package of some firewall versions could allow an authenticated local attacker to access configuration files on an affected device.

CVE-2023-35139

A cross-site scripting (XSS) vulnerability in the CGI program of some firewall versions could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.

CVE-2023-37925

An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access system files on an affected device.

CVE-2023-37926

A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.

CVE-2023-4397

A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker with administrator privileges to cause DoS conditions by executing the CLI command with crafted strings on an affected device.

CVE-2023-4398

An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions on an affected device by sending a crafted IKE packet.

CVE-2023-5650

An improper privilege management vulnerability in the ZySH of some firewall versions could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.

CVE-2023-5797

An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access the administrator’s logs on an affected device.

CVE-2023-5960

An improper privilege management vulnerability in the hotspot feature of some firewall versions could allow an authenticated local attacker to access the system files on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Table 1. Firewalls affected by CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960

Affected version

Firewall

series

CVE-2023-35136

CVE-2023-35139

CVE-2023-37925

CVE-2023-37926

CVE-2023-4397

CVE-2023-4398

CVE-2023-5650

CVE-2023-5797

CVE-2023-5960

Patch

availability

ATP

ZLD V4.32 to V5.37

ZLD V5.10 to V5.37

ZLD V4.32 to V5.37

ZLD V4.32 to V5.37

ZLD V5.37

ZLD V4.32 to V5.37

ZLD V4.32 to V5.37

ZLD V4.32 to V5.37

Not affected

ZLD V5.37 Patch 1

USG FLEX

ZLD V4.50 to V5.37

ZLD V5.00 to V5.37

ZLD V4.50 to V5.37

ZLD V4.50 to V5.37

ZLD V5.37

ZLD V4.50 to V5.37

ZLD V4.50 to V5.37

ZLD V4.50 to V5.37

ZLD V4.50 to V5.37

ZLD V5.37 Patch 1

USG FLEX 50(W) /

USG20(W)-VPN

ZLD V4.16 to V5.37

ZLD V5.10 to V5.37

ZLD V4.16 to V5.37

ZLD V4.16 to V5.37

ZLD V5.37

ZLD V4.16 to V5.37

ZLD V4.16 to V5.37

ZLD V4.16 to V5.37

Not affected

ZLD V5.37 Patch 1

VPN

ZLD V4.30 to V5.37

ZLD V5.00 to V5.37

ZLD V4.30 to V5.37

ZLD V4.30 to V5.37

Not affected

ZLD V4.30 to V5.37

ZLD V4.30 to V5.37

ZLD V4.30 to V5.37

ZLD V4.30 to V5.37

ZLD V5.37 Patch 1

Table 2. APs affected by CVE-2023-37925 and CVE-2023-5797

AP model

Affected version

Patch availability

NWA50AX

6.29(ABYW.2) and earlier

Hotfix by request*

Standard patch 6.80(ABYW.0) in July 2024

NWA50AX-PRO

6.65(ACGE.1)and earlier

Hotfix by request*

Standard patch 6.80(ACGE.0) in July 2024

NWA55AXE

6.29(ABZL.2) and earlier

Hotfix by request*

Standard patch 6.80(ABZL.0) in July 2024

NWA90AX

6.29(ACCV.2) and earlier

Hotfix by request*

Standard patch 6.80(ACCV.0) in July 2024

NWA90AX-PRO

6.65(ACGF.1) and earlier

Hotfix by request*

Standard patch 6.80(ACGF.0) in July 2024

NWA110AX

6.65(ABTG.1) and earlier

Hotfix by request*

Standard patch 6.70(ABTG.0) in January 2024

NWA210AX

6.65(ABTD.1) and earlier

Hotfix by request*

Standard patch 6.70(ABTD.0) in January 2024

NWA220AX-6E

6.65(ACCO.1) and earlier

Hotfix by request*

Standard patch 6.70(ACCO.0) in January 2024

NWA1123ACv3

6.65(ABVT.1) and earlier

Hotfix by request*

Standard patch 6.70(ABVT.0) in January 2024

WAC500

6.65(ABVS.1) and earlier

Hotfix by request*

Standard patch 6.70(ABVS.0) in January 2024

WAC500H

6.65(ABWA.1) and earlier

Hotfix by request*

Standard patch 6.70(ABWA.0) in January 2024

WAX300H

6.60(ACHF.1) and earlier

Hotfix by request*

Standard patch 6.70(ACHF.0) in January 2024

WAX510D

6.65(ABTF.1) and earlier

Hotfix by request*

Standard patch 6.70(ABTF.0) in January 2024

WAX610D

6.65(ABTE.1) and earlier

Hotfix by request*

Standard patch 6.70(ABTE.0) in January 2024

WAX620D-6E

6.65(ACCN.1) and earlier

Hotfix by request*

Standard patch 6.70(ACCN.0) in January 2024

WAX630S

6.65(ABZD.1) and earlier

Hotfix by request*

Standard patch 6.70(ABZD.0) in January 2024

WAX640S-6E

6.65(ACCM.1) and earlier

Hotfix by request*

Standard patch 6.70(ACCM.0) in January 2024

WAX650S

6.65(ABRM.1) and earlier

Hotfix by request*

Standard patch 6.70(ABRM.0) in January 2024

WAX655E

6.65(ACDO.1) and earlier

Hotfix by request*

Standard patch 6.70(ACDO.0) in January 2024

WBE660S

6.65(ACGG.1) and earlier

Hotfix by request*

Standard patch 6.70(ACGG.0) in January 2024

*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers and consultancies:

  • Lê Hữu Quang Linh from STAR Labs SG for CVE-2023-35136
  • Christopher Leech for CVE-2023-35139
  • Alessandro Sgreccia from HackerHood for CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960
  • Lays and atdog from TRAPA Security for CVE-2023-4398

Revision history

2023-11-28: Initial release