Zyxel security advisory for buffer overflow and post-authentication command injection...
Zyxel Employee
Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE,fiber ONTs, and WiFi extenders
CVEs: CVE-2024-8748, CVE-2024-9197, CVE-2024-9200
Summary
Zyxel has released patches for some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions affected by buffer overflow and post-authentication command injection vulnerabilities.Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2024-8748
A buffer overflow vulnerability in the packet parser of the third-party library “libclinkc” in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions could allow an attacker to cause denial of service (DoS) conditions against the web management interface by sending a crafted HTTP POST request to a vulnerable device. Note that WAN access is disabled by default on the devices, and the device still functions as expected in processing network traffic, even if the attack is successful.
CVE-2024-9197
A post-authentication buffer overflow vulnerability in the parameter “action” of the CGI program in some DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface by sending a crafted HTTP GET request to a vulnerable device if the function ZyEE is enabled. Note that the function ZyEE and WAN access are disabled by default on the devices, and the device still functions as expected in processing network traffic, even if the attack is successful.
CVE-2024-9200
A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in some DSL/Ethernet CPE firmware versions could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products within their vulnerability support period and released firmware patches to address the vulnerabilities, as shown in the tables below. Note that if an on-market product is not listed in the tables, it is NOT affected.
Table 1. Models affected by CVE-2024-8748
Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
4G LTE/5G NR CPE | LTE3301-PLUS | V1.00(ABQU.5)C0 and earlier | V1.00(ABQU.6)C0 |
LTE5388-M804 | V1.00(ABSQ.4)C0 and earlier | V1.00(ABSQ.5)C0 | |
LTE5398-M904 | V1.00(ABQV.4)C0 and earlier | V1.00(ABQV.5)C0 | |
LTE7480-M804 | V1.00(ABRA.9)C0 and earlier | V1.00(ABRA.10)C0 | |
LTE7490-M904 | V1.00(ABQY.8)C0 and earlier | V1.00(ABQY.9)C0 | |
NR7101 | V1.00(ABUV.10)C0 and earlier | V1.00(ABUV.11)C0 | |
NR7102 | V1.00(ABYD.3)C0 and earlier | V1.00(ABYD.4)C0 | |
Nebula NR5101 | V1.16(ACCG.0)C0 and earlier | V1.16(ACCG.1)C0 | |
Nebula NR7101 | V1.16(ACCC.0)C0 and earlier | V1.16(ACCC.1)C0 | |
Nebula LTE3301-PLUS | V1.18(ACCA.4)C0 and earlier | V1.18(ACCA.5)C0 | |
DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 |
DX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX4510-B0 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX4510-B1 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
DX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EE6510-10 | V5.19(ACJQ.0)C0 and earlier | V5.19(ACJQ.1)C0 | |
EX2210-T0 | V5.50(ACDI.1)C0 and earlier | V5.50(ACDI.2)C0 | |
EX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3500-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3501-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3510-B0 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX3510-B1 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX3600-T0 | V5.70(ACIF.0.3)C0 and earlier | V5.70(ACIF.0.4)C0 | |
EX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5501-B0 | V5.17(ABRY.5.2)C0 and earlier | V5.17(ABRY.5.3)C0 | |
EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)C0 | |
EX5512-T0 | V5.70(ACEG4.1)C0 and earlier | V5.70(ACEG4.2)C0 | |
EX5600-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T0 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX7501-B0 | V5.18(ACHN.1.2)C0 and earlier | V5.18(ACHN.1.3)C0 | |
EX7710-B0 | V5.18(ACAK.1)C1 and earlier | V5.18(ACAK.1.1)C0 | |
EMG3525-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5523-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5723-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
EMG6726-B10A | V5.13(ABNP.8)C0 and earlier | V5.13(ABNP.8)C1 | |
VMG3625-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG3927-B50B | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 | |
VMG3927-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
VMG4005-B50A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B60A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B50B | V5.13(ABRL.5.1)C0 and earlier | V5.13(ABRL.5.2)C0 | |
VMG4927-B50A | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 | |
VMG8623-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG8825-T50K | V5.50(ABOM.8.4)C0 and earlier V5.50(ABPY.1)b25 and earlier | V5.50(ABOM.8.5)C0 V5.50(ABPY.1)b26 | |
Fiber ONT | AX7501-B0 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 |
AX7501-B1 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 | |
PM3100-T0 | V5.42(ACBF.2.1)C0 and earlier | V5.42(ACBF.3)C0 | |
PM5100-T0 | V5.42(ACBF.2.1)C0 and earlier | V5.42(ACBF.3)C0 | |
PM7300-T0 | V5.42(ABYY.2.2)C0 and earlier | V5.42(ABYY.2.3)C0 | |
PM7500-T0 | V5.61(ACKK.0)C0 and earlier | V5.61(ACKK.0.1)C0 | |
PX3321-T1 | V5.44(ACJB.1)C0 and earlier V5.44(ACHK.0.2)C0 and earlier | V5.44(ACJB.1.1)C0 V5.44(ACHK.0.3)C0 | |
PX5301-T0 | V5.44(ACKB.0)C0 and earlier | V5.44(ACKB.0.1)C0 | |
Wi-Fi extender | WX3100-T0 | V5.50(ABVL.4.3)C0 and earlier | V5.50(ABVL.4.4)C0 |
WX3401-B0 | V5.17(ABVE.2.5)C0 and earlier | V5.17(ABVE.2.6)C0 | |
WX3401-B1 | V5.17(ABVE.2.5)C0 and earlier | V5.17(ABVE.2.6)C0 | |
WX5600-T0 | V5.70(ACEB.3.2)C0 and earlier | V5.70(ACEB.3.3)C0 | |
WX5610-B0 | V5.18(ACGJ.0)C2 and earlier | V5.18(ACGJ0.1)C0 |
* Please contact your Zyxel sales representative or support team for the file.
Table 2. Models affected by CVE-2024-9197
Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 |
DX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX4510-B0 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX4510-B1 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
DX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EE6510-10 | V5.19 (ACJQ.0)C0 and earlier | V5.19 (ACJQ.1)C0 | |
EX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3500-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3501-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3510-B0 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX3510-B1 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5501-B0 | V5.17(ABRY.5.2)C0 and earlier | V5.17(ABRY.5.3)C0 | |
EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)C0 | |
EX5600-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T0 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX7501-B0 | V5.18(ACHN.1.2)C0 and earlier | V5.18(ACHN.1.3)C0 | |
EMG3525-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5523-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5723-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
VMG3625-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG3927-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
VMG8623-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG8825-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
Fiber ONT | AX7501-B0 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 |
AX7501-B1 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 | |
EX3600-T0 | V5.70(ACIF.0.3)C0 and earlier | V5.70(ACIF.0.4)C0 | |
PX3321-T1 | V5.44(ACJB.1)C0 and earlier V5.44(ACHK.0.2)C0 and earlier | V5.44(ACJB.1.1)C0 V5.44(ACHK.0.3)C0 | |
PX5301-T0 | V5.44(ACKB.0)C0 and earlier | V5.44(ACKB.0.1)C0 | |
Wi-Fi extender | WX5600-T0 | V5.70(ACEB.3.2)C0 and earlier | V5.70(ACEB.3.3)C0 |
* Please contact your Zyxel sales representative or support team for the file.
Table 3. Models affected by CVE-2024-9200
Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
DSL/Ethernet CPE | EMG6726-B10A | V5.13(ABNP.8)C0 and earlier | V5.13(ABNP.8)C1 |
VMG3927-B50B | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 | |
VMG4005-B50A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B60A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B50B | V5.13(ABRL.5.1)C0 and earlier | V5.13(ABRL.5.2)C0 | |
VMG4927-B50A | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 |
* Please contact your Zyxel sales representative or support team for the file.
Please note that the above tables do NOT include customized models for internet service providers (ISPs).
For ISPs, please contact your Zyxel sales or service representatives for further details.
For end-users who acquired your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.
For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel’s Community for further assistance.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers:
- Dawid Kulikowski for CVE-2024-8748
- k0mor3b1 from Secdriver for CVE-2024-9197
- Erik de Jong for CVE-2024-9200
Revision history
2024-12-3:Initial release.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight