Zyxel has released a software update to address two critical security flaws affecting certain firewall and VPN products that could be abused by remote attackers to achieve code execution.
A brief description of the two issues is below –
- CVE-2023-33009 – A buffer overflow vulnerability in the notification function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
- CVE-2023-33010 – Buffer overflow vulnerabilities in ID processing functionality that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution.
The following devices are affected –
- ATP (ZLD versions V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
- USG FLEX (ZLD version V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
- USG FLEX50(W) / USG20(W)-VPN (ZLD V4.25 to V5.36 Patch 1 version, patched in ZLD V5.36 Patch 2)
- VPN (version ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
- ZyWALL/USG (ZLD version V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)
Security researchers from TRAPA Security and STAR Labs SG have found and reported the flaw.
The advice comes less than a month after Zyxel shipped a fix for another critical security flaw in its firewall suite that could be exploited to achieve remote code execution on affected systems.
The problem is, being tracked as CVE-2023-28771 (CVSS score: 9.8), also credited to TRAPA Security, with network equipment makers blaming improper handling of error messages. Since then it has been under active exploitation by threat actors associated with the Mirai botnet.