Zyxel security advisory for post-authentication command injection and buffer overflow ...
Zyxel Employee
Zyxel security advisory for post-authentication command injection and buffer overflow vulnerabilities in GS1900 series switches
CVEs: CVE-2024-8881, CVE-2024-8882
Summary
Zyxel has released patches for GS1900 series switches affected by post-authentication command injection and buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2024-8881
A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900 series switches firmware could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system (OS) commands on an affected device by sending a crafted HTTP request.
CVE-2024-8882
A buffer overflow vulnerability in the CGI program in the Zyxel GS1900 series switches firmware could allow an authenticated, LAN-based attacker with administrator privileges to cause denial of service (DoS)conditions via a crafted URL.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.
Affected model | Affected version | Patch availability |
|---|---|---|
GS1900-8 | V2.80(AAHH.1)C0 and earlier | |
GS1900-8HP | V2.80(AAHI.1)C0 and earlier | |
GS1900-10HP | V2.80(AAZI.1)C0 and earlier | |
GS1900-16 | V2.80(AAHJ.1)C0 and earlier | |
GS1900-24 | V2.80(AAHL.1)C0 and earlier | |
GS1900-24E | V2.80(AAHK.1)C0 and earlier | |
GS1900-24EP | V2.80(ABTO.1)C0 and earlier | |
GS1900-24HPv2 | V2.80(ABTP.1)C0 and earlier | |
GS1900-48 | V2.80(AAHN.1)C0 and earlier | |
GS1900-48HPv2 | V2.80(ABTQ.1)C0 and earlier |
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers:
- Chengchao Ai from the ROIS team of Fuzhou University for CVE-2024-8881
- Xing Yang from the ROIS team of Fuzhou University for CVE-2024-8882
Revision history
2024-11-12: Initial release
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 246 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight