Urgent patching for Zyxel Firewall Flaw

Network equipment company Zyxel has updated the firmware of several of its business-grade firewall and VPN products to address a critical-severity vulnerability that could give attackers administrator-level access to affected devices.

Zyxel’s security advisory refers to products from the USG/ZyWALL, USG FLEX, ATP, VPN, and NSG (Nebula Security Gateway) series.

The National Institute of Standards and Technology (NIST) has not provided a severity rating yet, but Zyxel’s assessment gives it a 9.8 score out of a maximum of 10.

“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device” – Zyxel

 

WHEN AND WHAT HAPPENED :

Zyxel, a company that makes networking equipment, has released patches for a critical security flaw in its firewall devices. The flaw is tracked as CVE-2023-28771 and is rated 9.8 on the CVSS scoring system. This means it is a critical vulnerability that could be easily exploited by attackers. Researchers from TRAPA Security have been credited with reporting the flaw.

According to Zyxel, the flaw is caused by “improper error message handling in some firewall versions” which could allow an unauthenticated attacker to remotely execute some operating system

(OS) commands by sending crafted packets to an affected device. The flaw impacts several products, including ATP, USG FLEX, VPN, and ZyWALL/USG.

  • Zyxel released a security advisory on April 25, 2023, to address the flaw.
  • Credited for discovering and reporting CVE-2022-0342 are Alessandro Sgreccia from Tecnical Service Srl, and Roberto Garcia H and Victor Garcia R from Innotec Security.
  • Zyxel is advising its customers to install the firmware updates “for optimal protection.” At the moment there are no public reports that CVE-2022-0342 is being exploited in attacks. Zyxel is advising its customers to install the firmware updates “for optimal protection.” At the moment there are no public reports that CVE-2022-0342 is being exploited in attacks

 

EFFECT:

  • Users of the affected Zyxel products are recommended to update their devices to the latest patched firmware, specifically ZLD V5.36 for impacted devices. In addition, Zyxel has addressed another high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991) that could permit an authenticated attacker to execute some OS commands remotely.
  • Lastly, Zyxel has shipped fixes for five high-severity flaws and one medium-severity bug affecting several firewalls and access point (AP) devices. These flaws could lead to code execution and cause a denial-of-service (DoS) condition.
  • Nikita Abramov from Russian cybersecurity company Positive Technologies has been credited for reporting these issues. Abramov had earlier discovered four command injection and buffer overflow vulnerabilities in CPE, fiber ONTs, and WiFi extenders.
  • The flaw impacts several products, including ATP, USG FLEX, VPN, and ZyWALL/USG.
  • It is essential to update the firmware of any affected Zyxel products to ensure they are secure and free from any known vulnerabilities. By doing so, users can protect their systems and data from potential attacks.

 

The vulnerability

Zyxel says the vulnerability, listed as CVE-2022-0342, is an authentication bypass vulnerability caused by the lack of a proper access control mechanism, which has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

The Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

CVE-2023-22913

A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of some firewall versions could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22914

A path traversal vulnerability in the “account_print.cgi” CGI program of some firewall versions could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22915

A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22916

The configuration parser of some firewall versions fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22917

A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of some firewall versions could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. Note that WAN access is disabled by default on the firewall devices.

CVE-2023-22918

A post-authentication information exposure vulnerability in the CGI program of some firewall and AP versions could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. Note that WAN access is disabled by default on the firewall and AP devices.

 

The hardware devices above are typically used in small or mid-sized environments to combine network access, whether local or remote, with security components that can protect against malicious activity via malware or phishing.

 

Recommendation:

 

  • Users of the affected Zyxel products are recommended to update their devices to the latest patched firmware, specifically ZLD V5.36 for impacted devices.
  • Additionally, Zyxel has addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991) that could permit an authenticated attacker to execute some OS commands remotely.
  • Lastly, the company has shipped fixes for five high-severity flaws and one medium-severity bug affecting several firewalls and access point (AP) devices

In addition, it is recommended to:

  • Restrict access to the affected devices and ensure they are not directly accessible from the internet.

Implement network segmentation and ensure the devices are located in a  secure zone.

  • Monitor network traffic for any signs of suspicious activity. Regularly review security advisories and apply patches promptly. By following these recommendations, users can help protect their systems against potential attacks and ensure the safety and security of their networks.
  • Furthermore, it is also important to educate employees on the importance of network security and the risks of opening suspicious emails or clicking on links from unknown sources. This can help prevent social engineering attacks that exploit human vulnerabilities to gain access to the network.