Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, ...

Zyxel_May
Zyxel_May Posts: 167  Zyxel Employee
First Comment Fourth Anniversary

Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices

CVEs: CVE-2023-37929, CVE-2024-0816

Summary

Zyxel has released patches forsome 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices affected by buffer overflow vulnerabilities. Users are advised to install them for optimal protection.

What are the vulnerabilities?

CVE-2023-37929

This buffer overflow vulnerability in the CGI program of some DSL/Ethernet CPE, WiFi extender, and home router devices could allow an authenticated remote attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2024-0816

This buffer overflow vulnerability in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices could allow an authenticated local attacker to cause DoS conditions by executing the CLI command with crafted strings on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerabilities, as shown in the tables below.

Table 1. Models affected by CVE-2023-37929

Product

Affected model

Affected version

Patch availability*

DSL/Ethernet CPE

DX3300-T1

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

DX3301-T0

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

DX4510

V5.17(ABYL.5)C0

V5.17(ABYL.6)C0

DX5401-B0

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

DX5401-B1

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

EMG3525-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.1)C0

EMG5523-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.1)C0

EMG5723-T50K

V5.50(ABOM.8.2)C0

V5.50(ABOM.8.3)C0

EX3300-T1

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

EX3301-T0

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

EX3500-T0

V5.44(ACHR.0)C0

V5.44(ACHR.1)C0

EX3501-T0

V5.44(ACHR.0)C0

V5.44(ACHR.1)C0

EX3510

V5.17(ABUP.9)C0

V5.17(ABUP.11)C0

EX5401-B0

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

EX5401-B1

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

EX5501-B0

V5.17(ABRY.4)C0

V5.17(ABRY.5)C0

EX5510

V5.17(ABQX.8)C0

V5.17(ABQX.9)C0

EX5512-T0

V5.70(ACEG.2)C0

V5.70(ACEG.3)C0

EX5600-T1

V5.70(ACDZ.2)C0

V5.70(ACDZ.2.4)C0

EX5601-T0

V5.70(ACDZ.2)C0

V5.70(ACDZ.2.4)C0

EX5601-T1

V5.70(ACDZ.2)C0

V5.70(ACDZ.2.4)C0

EX7710-B0

V5.18(ACAK.0)C0

V5.18(ACAK.1)C0

VMG3625-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.1)C0

VMG3927-T50K

V5.50(ABOM.8.2)C0

V5.50(ABOM.8.3)C0

VMG8623-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.1)C0

VMG8825-T50K

V5.50(ABOM.8.2)C0

V5.50(ABOM.8.3)C0

Fiber ONT

AX7501-B0

V5.17(ABPC.4)C0

V5.17(ABPC.4.1)C0

AX7501-B1

V5.17(ABPC.4)C0

V5.17(ABPC.4.1)C0

WiFi extender

WX3100-T0

V5.50(ABVL.3)C0

V5.50(ABVL.4)C0

WX5600-T0

V5.70(ACEB.2)C0

V5.70(ACEB.2.2)C0

WX5610-B0

V5.18(ACGJ.0)C0

V5.18(ACGJ.0)C1

Home router

NBG7510

V1.00(ABZY.5)C0

V1.00(ABZY.6)C0

*Please reach out to your local Zyxel support team for the file.

Table 2. Models affected by CVE-2024-0816

Product

Affected model

Affected version

Patch availability*

5G NR/4G LTE CPE

LTE3202-M437

V1.00(ABWF.3)C0

Hotfix is available

Standard patch V1.00(ABWF.4)C0 in August 2024

LTE3301-Plus

V1.00(ABQU.5)C0

Hotfix is available

Standard patch V1.00(ABQU.6)C0 in August 2024

LTE5388-M804

V1.00(ABSQ.4)C0

Hotfix is available

Standard patch V1.00(ABSQ.5)C0 in August 2024

LTE5398-M904

V1.00(ABQV.4)C0

Hotfix is available

Standard patch V1.00(ABQV.5)C0 in August 2024

LTE7240-M403

V2.00(ABMG.7)C0

Hotfix is available

Standard patch V2.00(ABMG.8)C0 in August 2024

LTE7480-M804

V1.00(ABRA.8)C0

Hotfix is available

Standard patch V1.00(ABRA.9)C0 in August 2024

LTE7490-M904

V1.00(ABQY.7)C0

Hotfix is available

Standard patch V1.00(ABQY.8)C0 in August 2024

NR5103

V4.19(ABYC.5)C0

Hotfix is available

Standard patch V4.19(ABYC.6)C0 in August 2024

NR5103E

V1.00(ACDJ.1)b3

Hotfix is available

Standard patch V1.00(ACDJ.2)C0 in August 2024

NR5103EV2

V1.00(ACIQ.0)C0

Hotfix is available

Standard patch V1.00(ACIQ.1)C0 in August 2024

NR5307

V1.00(ACJT.0)b4

Hotfix is available

Standard patch V1.00(ACJT.0)C0 in August 2024

NR7101

V1.00(ABUV.9)C0

Hotfix is available

Standard patch V1.00(ABUV.10)C0 in August 2024

NR7102

V1.00(ABYD.2)C0

Hotfix is available

Standard patch V1.00(ABYD.3)C0 in August 2024

NR7103

V1.00(ACCZ.2)C0

Hotfix is available

Standard patch V1.00(ACCZ.3)C0 in August 2024

NR7302

V1.00(ACHA.2)C0

Hotfix is available

Standard patch V1.00(ACHA.3)C0 in August 2024

NR7303

V1.00(ACEI.0)C0

Hotfix is available

Standard patch V1.00(ACEI.1)C0 in August 2024

NR7501

V1.00(ACEH.0)C0

Hotfix is available

Standard patch V1.00(ACEH.1)C0 in August 2024

Nebula FWA505

V1.18(ACKO.1)C0

Hotfix is available

Standard patch V1.18(ACKO.2)C0 in July 2024

Nebula FWA510

V1.18(ACGD.1)C0

Hotfix is available

Standard patch V1.18(ACGD.2)C0 in July 2024

Nebula FWA710

V1.17(ACGC.0)C0

Hotfix is available

Standard patch V1.18(ACGC.2) in July 2024

Nebula LTE3301-PLUS

V1.17(ACCA.0)C0

Hotfix is available

Standard patch V1.18(ACCA.2)C0 in July 2024

Nebula LTE7461-M602

V1.15(ACEV.3)C0

Hotfix is available

Nebula NR5101

V1.16(ACCG.0)C0

Hotfix is available

Nebula NR7101

V1.16(ACCC.0)C0

Hotfix is available

DSL/Ethernet CPE

DX3300-T1

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

DX3301-T0

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

DX4510

V5.17(ABYL.6)C0

V5.17(ABYL.7)C0

DX5401-B0

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

DX5401-B1

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

EMG3525-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.3)C0

EMG5523-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.3)C0

EMG5723-T50K

V5.50(ABOM.8.2)C0

V5.50(ABOM.8.3)C0

EX3300-T1

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

EX3301-T0

V5.50(ABVY.4)C0

V5.50(ABVY.4.2)C0

EX3320-T0

V5.71(YAK.2)D0

V5.71(YAK.3)D0

EX3320-T1

V5.71(YAP.0)C0

V5.71(YAP.1)C0

EX3500-T0

V5.44(ACHR.0)C0

V5.44(ACHR.1)C0

EX3501-T0

V5.44(ACHR.0)C0

V5.44(ACHR.1)C0

EX3510

V5.17(ABUP.11)C0

V5.17(ABUP.12)C0

EX5401-B0

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

EX5401-B1

V5.17(ABYO.5)C0

V5.17(ABYO.5.1)C0

EX5501-B0

V5.17(ABRY.4)C0

V5.17(ABRY.5)C0

EX5510

V5.17(ABQX.9)C0

V5.17(ABQX.10)C0

EX5512-T0

V5.70(ACEG.2)C0

V5.70(ACEG.3)C0

EX5600-T1

V5.70(ACDZ.2)C0

V5.70(ACDZ.2.4)C0

EX5601-T0

V5.70(ACDZ.2)C0

V5.70(ACDZ.2.4)C0

EX5601-T1

V5.70(ACDZ.2)C0

V5.70(ACDZ.2.4)C0

EX7710-B0

V5.18(ACAK.0)C0

V5.18(ACAK.1)C0

VMG3625-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.3)C0

VMG3927-T50K

V5.50(ABOM.8.2)C0

V5.50(ABOM.8.3)C0

VMG4005-B50A

V5.17(ABQA.2)C0

V5.17(ABQA.2.1)C0

VMG4005-B60A

V5.17(ABQA.2)C0

V5.17(ABQA.2.1)C0

VMG8623-T50B

V5.50(ABPM.8)C0

V5.50(ABPM.8.3)C0

VMG8825-T50K

V5.50(ABOM.8.2)C0

V5.50(ABOM.8.3)C0

Fiber ONT

AX7501-B0

V5.17(ABPC.4)C0

V5.17(ABPC.4.1)C0

AX7501-B1

V5.17(ABPC.4)C0

V5.17(ABPC.4.1)C0

PM3100-T0

V5.42(ACBF.1.2)C0

V5.42(ACBF.2)C0

PM5100-T0

V5.42(ACBF.1.2)C0

V5.42(ACBF.2)C0

PM7300-T0

V5.42(ABYY.1)C0

V5.42(ABYY.2.1)C0

PX3321-T1

V5.44(ACJB.0)C0

V5.44(ACJB.1)C0

WiFi extender

WX3100-T0

V5.50(ABVL.3)C0

V5.50(ABVL.4.1)C0

WX3401-B0

V5.17(ABVE.2)C0

V5.17(ABVE.2.4)C0

WX5600-T0

V5.70(ACDZ.2)C0

V5.70(ACEB.2.2)C0

WX5610-B0

V5.18(ACGJ.0)C0

V5.18(ACGJ.0)C1

Home router

NBG7510

V1.00(ABZY.6)C0

V1.00(ABZY.7)C0

*Please reach out to your local Zyxel support team for the file.

Please note that the tables do NOT include customized models for internet service providers (ISPs).

For ISPs, please contact your Zyxel sales or service representatives for further details.

For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.

For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel’s Community for further assistance.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers:

  • Xingyu Xu from the Institute of Software, Chinese Academy of Sciences (ISCAS) for CVE-2023-37929
  • Marko Silokunnas from Telia Company for CVE-2024-0816

Revision history

2024-5-21: Initial release.