Zyxel security advisory for multiple vulnerabilities in firewalls

Zyxel_May
Zyxel_May Posts: 168  Zyxel Employee
First Comment Fourth Anniversary
edited September 3 in Security Advisories

CVEs:CVE-2024-6343, CVE-2024-7203, CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, CVE-2024-42061

Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall versions.Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2024-6343

A buffer overflow vulnerability in the CGI program of some firewall versions could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2024-7203

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

CVE-2024-42057

A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

CVE-2024-42058

A null pointer dereference vulnerability in some firewall versions could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.

CVE-2024-42059

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVE-2024-42060

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.

CVE-2024-42061

A reflected cross-site scripting(XSS) vulnerability in the CGI program “dynamic_script.cgi” of some firewall versions could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the table below.

Affected version

Firewall

series

CVE-2024-6343

CVE-2024-7203

CVE-2024-42057

CVE-2024-42058

CVE-2024-42059

CVE-2024-42060

CVE-2024-42061

Patch

availability

ATP

ZLD V4.32 to V5.38

ZLD V4.60 to V5.38

ZLD V4.32 to V5.38

ZLD V4.32 to V5.38

ZLD V5.00 to V5.38

ZLD V4.32 to V5.38

ZLD V4.32 to V5.38

ZLD V5.39

USG FLEX

ZLD V4.50 to V5.38

ZLD V4.60 to V5.38

ZLD V4.50 to V5.38

ZLD V4.50 to V5.38

ZLD V5.00 to V5.38

ZLD V4.50 to V5.38

ZLD V4.50 to V5.38

ZLD V5.39

USG FLEX 50(W)/

USG20(W)-VPN

ZLD V4.16 to V5.38

Not affected

ZLD V4.16 to V5.38

ZLD V4.20 to V5.38

ZLD V5.00 to V5.38

ZLD V4.16 to V5.38

ZLD V4.16 to V5.38

ZLD V5.39

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers and consultancies:

  • Nanyu Zhong and Jinwei Dong from VARAS@IIE for CVE-2024-6343
  • Alessandro Sgreccia and Manuel Roccon from HackerHood for CVE-2024-7203
  • nella17 from DEVCORE for CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, and CVE-2024-42061

Revision history

2024-9-3: Initial release