More security fixes in V4.62 for V4.30 and greater

dkyeager

Any further details on these fixes in V4.62?

1. Remote Code Execution vulnerability fix.Vulnerability Description:These are affected by a CGI vulnerability by the improper input sanitization of HTTP requests. It could allow Hackers to perform remote code execution via OS command injection.Affected Version:ZLD V4.35 and above

2. Buffer Overflow vulnerability fix.Vulnerability Description:The buffer overflow vulnerability causes a program to overwrite a memory block, so the system might be unstable or terminate abnormally.Affected Version:ZLD V4.30 and above Recommended Action:Users are advised to upgrade to the latest firmware (ZLD4.62) or hotfix immediately for optimal protection.Thank you for choosing ZyWALL ATP and USG FLEX series. Zyxel is committed to continuously updating your devices for the most advanced features.

Zyxel_Jeff

Hi @dkyeager

You can refer to the following answers:

What the patched vulnerabilities are? How will they affect the device security?

1.Remote Code Execution vulnerability:

When the http/https service is enabled and allowed users to access the device GUI, the attacker can inject the commands from url directly (e.g. inject reboot command to force the device to reboot without having admin authority)

2.Buffer Overflow vulnerability:

When the http/https service is enabled and allowed users to access the device GUI, an attacker can send a crafted HTTP request(by adjusting the http header) and caused to system stack overflow and reboot.