Network equipment maker Zyxel has released a patch for a critical security flaw in its firewall suite which can be exploited to achieve remote code execution on affected systems.
The problem is, being tracked as CVE-2023-28771, rated 9.8 on the CVSS rating system. Researchers from TRAPA Security have been credited with reporting the flaw.
“Inappropriate handling of error messages in some firewall versions could allow an unauthenticated attacker to remotely execute some OS commands by sending crafted packets to the affected device,” Zyxel said in advisory on April 25, 2023.
Products affected by defects are –
- ATP (ZLD version V4.60 to V5.35, patched at ZLD V5.36)
- USG FLEX (ZLD version V4.60 to V5.35, patched at ZLD V5.36)
- VPN (ZLD version V4.60 to V5.35, patched at ZLD V5.36), and
- ZyWALL/USG (ZLD version V4.60 to V4.73, patched in ZLD V4.73 Patch 1)
Zyxel also has one addressed a high-severity post-authentication command injection vulnerability affecting certain firewall versions (CVE-2023-27991CVSS score: 8.8) which could allow an authenticated attacker to execute some OS commands remotely.
The flaw, which impacted ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices, was addressed in ZLD V5.36.
Lastly, the company too repairs sent for five high-severity flaws affecting multiple firewall devices and access points (APs) (from CVE-2023-22913 to CVE-2023-22918) that could result in code execution and lead to a denial-of-service (DoS) condition.
Nikita Abramov of Russian cybersecurity firm Positive Technologies has been credited with reporting the problem. Abramov, earlier this year too have found four command injection and buffer overflow vulnerabilities in CPE, fiber ONT, and WiFi extender.
The most severe weakness is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.
“It does not require authentication to be exploited and causes arbitrary code execution on the device,” said Abramov explained at the time. “As a result, an attacker can gain remote access to the device and completely control its operation.”