Zyxel security advisory for multiple vulnerabilities in firewalls and APs

Zyxel_May
Zyxel_May Posts: 168  Zyxel Employee
First Comment Fourth Anniversary
edited February 22 in Security Advisories

CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, and CVE-2023-6764

Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2023-6397

A null pointer dereference vulnerability in some firewall versions could allow a LAN-based attacker to cause denial-of-service (DoS) conditions by downloading a crafted RAR compressed file onto a LAN-side host if the firewall has the “Anti-Malware” feature enabled.

CVE-2023-6398

A post-authentication command injection vulnerability in the file upload binary in some firewall and AP versions could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP.

CVE-2023-6399

A format string vulnerability in some firewall versions could allow an authenticated IPSec VPN user to cause DoS conditions against the “deviceid” daemon by sending a crafted hostname to an affected device if it has the “Device Insight” feature enabled.

CVE-2023-6764

A format string vulnerability in a function of the IPSec VPN feature in some firewall versions could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer; however, such an attack would require detailed knowledge of an affected device’s memory layout and configuration.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Table 1. Firewalls affected by CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, and CVE-2023-6764

Firewall series

Affected version

Patch availability

CVE-2023-6397

CVE-2023-6398

CVE-2023-6399

CVE-2023-6764

ATP

ZLD V4.32 to V5.37 Patch 1

ZLD V4.32 to V5.37 Patch 1

ZLD V5.10 to V5.37 Patch 1

ZLD V4.32 to V5.37 Patch 1

ZLD V5.37 Patch 2

USG FLEX

ZLD V4.50 to V5.37 Patch 1

ZLD V4.50 to V5.37 Patch 1

ZLD V5.10 to V5.37 Patch 1

ZLD V4.50 to V5.37 Patch 1

ZLD V5.37 Patch 2

USG FLEX 50(W)/
USG20(W)-VPN

Not affected

ZLD V4.16 to V5.37 Patch 1

ZLD V5.10 to V5.37 Patch 1

ZLD V4.16 to V5.37 Patch 1

ZLD V5.37 Patch 2

USG FLEX H

Not affected

uOS V1.10 to V1.10 Patch 1

uOS V1.10 to V1.10 Patch 1

Not affected

Hotfix is available*

Standard patch uOS V1.20 in April 2024

Table 2. APs affected by CVE-2023-6398

AP model

Affected version

Patch availability

NWA50AX

6.29(ABYW.3) and earlier

6.29(ABYW.4)

NWA55AXE

6.29(ABZL.3) and earlier

6.29(ABZL.4)

NWA90AX

6.29(ACCV.3) and earlier

6.29(ACCV.4)

NWA110AX

6.65(ABTG.1) and earlier

6.70(ABTG.2)

NWA210AX

6.65(ABTD.1) and earlier

6.70(ABTD.2)

NWA220AX-6E

6.65(ACCO.1) and earlier

6.70(ACCO.1)

NWA1123ACv3

6.65(ABVT.1) and earlier

6.70(ABVT.1)

WAC500

6.65(ABVS.1) and earlier

6.70(ABVS.1)

WAC500H

6.65(ABWA.1) and earlier

6.70(ABWA.1)

WAX300H

6.60(ACHF.1) and earlier

6.70(ACHF.1)

WAX510D

6.65(ABTF.1) and earlier

6.70(ABTF.2)

WAX610D

6.65(ABTE.1) and earlier

6.70(ABTE.2)

WAX620D-6E

6.65(ACCN.1) and earlier

6.70(ACCN.1)

WAX630S

6.65(ABZD.1) and earlier

6.70(ABZD.2)

WAX640S-6E

6.65(ACCM.1) and earlier

6.70(ACCM.1)

WAX650S

6.65(ABRM.1) and earlier

6.70(ABRM.2)

WAX655E

6.65(ACDO.1) and earlier

6.70(ACDO.1)

WBE660S

6.65(ACGG.1) and earlier

6.70(ACGG.2)

NWA50AX-PRO

6.65(ACGE.1) and earlier

Hotfix is available upon request*

Standard patch 6.80(ACGE.0) in July 2024

NWA90AX-PRO

6.65(ACGF.1) and earlier

Hotfix is available upon request*

Standard patch 6.80(ACGF.0) in July 2024

*Please reach out to your local Zyxel support team for the file

Got a question?

Please contact your local service rep or visit Zyxel’s Communityfor further information or assistance.

Acknowledgment

Thanks to Lays and atdog from TRAPA Security for reporting the issues to us.

Revision history

2024-2-20: Initial release

2024-2-21: Updated the affected model list and patch availability