Zyxel security advisory for multiple vulnerabilities in firewalls

Zyxel_May · September 3

CVEs:CVE-2024-6343, CVE-2024-7203, CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, CVE-2024-42061

Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall versions.Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2024-6343

A buffer overflow vulnerability in the CGI program of some firewall versions could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2024-7203

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

CVE-2024-42057

A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

CVE-2024-42058

A null pointer dereference vulnerability in some firewall versions could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.

CVE-2024-42059

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVE-2024-42060

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.

CVE-2024-42061

A reflected cross-site scripting(XSS) vulnerability in the CGI program “dynamic_script.cgi” of some firewall versions could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the table below.

	Affected version
Firewall series	CVE-2024-6343	CVE-2024-7203	CVE-2024-42057	CVE-2024-42058	CVE-2024-42059	CVE-2024-42060	CVE-2024-42061	Patch availability
ATP	ZLD V4.32 to V5.38	ZLD V4.60 to V5.38	ZLD V4.32 to V5.38	ZLD V4.32 to V5.38	ZLD V5.00 to V5.38	ZLD V4.32 to V5.38	ZLD V4.32 to V5.38	ZLD V5.39
USG FLEX	ZLD V4.50 to V5.38	ZLD V4.60 to V5.38	ZLD V4.50 to V5.38	ZLD V4.50 to V5.38	ZLD V5.00 to V5.38	ZLD V4.50 to V5.38	ZLD V4.50 to V5.38	ZLD V5.39
USG FLEX 50(W)/ USG20(W)-VPN	ZLD V4.16 to V5.38	Not affected	ZLD V4.16 to V5.38	ZLD V4.20 to V5.38	ZLD V5.00 to V5.38	ZLD V4.16 to V5.38	ZLD V4.16 to V5.38	ZLD V5.39

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers and consultancies:

Nanyu Zhong and Jinwei Dong from VARAS@IIE for CVE-2024-6343
Alessandro Sgreccia and Manuel Roccon from HackerHood for CVE-2024-7203
nella17 from DEVCORE for CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, and CVE-2024-42061

Revision history

2024-9-3: Initial release