Zyxel, a Taiwanese networking device vendor, has issued security advisories for several critical vulnerabilities affecting its firewall, access point, and NAS devices. The vulnerabilities could allow remote attackers to bypass authentication, execute arbitrary commands, or cause denial-of-service (DoS) conditions on the affected devices. Zyxel customers are advised to update their firmware as soon as possible to mitigate the risks.
The vulnerabilities were reported by Positive Technologies, a cybersecurity company that specializes in vulnerability assessment and penetration testing. According to the company, the vulnerabilities were discovered during a security audit of Zyxel products. The vulnerabilities are:
- CVE-2023-22913: A post-authentication command injection vulnerability in the
account_operator.cgiCGI program of some firewall versions. This could allow a remote authenticated attacker to modify device configuration data, resulting in DoS conditions on an affected device. Note that WAN access is disabled by default on the firewall devices. - CVE-2023-22914: A path traversal vulnerability in the
account_print.cgiCGI program of some firewall versions. This could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in thetmpdirectory by uploading a crafted file if the hotspot function were enabled. Note that WAN access is disabled by default on the firewall devices. - CVE-2023-22915: A buffer overflow vulnerability in the
fbwifi_forward.cgiCGI program of some firewall versions. This could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device. Note that WAN access is disabled by default on the firewall devices. - CVE-2023-22916: The configuration parser of some firewall versions fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. Note that WAN access is disabled by default on the firewall devices.
CVE-2023-22917: A buffer overflow vulnerability in the sdwan_iface_ipc binary of some firewall versions. This could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. Note that WAN access is disabled by default on the firewall devices.
- CVE-2023-22918: A post-authentication information exposure vulnerability in the CGI program of some firewall and AP versions. This could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. Note that WAN access is disabled by default on the firewall and AP devices.
Affected Products and Firmware Updates
Zyxel has identified the vulnerable products that are within their vulnerability support period and released firmware updates to address the vulnerabilities. The affected products and firmware versions are listed in the following tables:
| Product Series | Model | Affected Firmware Version | Patched Firmware Version |
|---|---|---|---|
| Firewall | ATP, USG, USG FLEX, VPN, ZyWALL | ZLD5.00 to ZLD5.21 Patch 1 | ZLD5.22 Patch 0 |
| AP Controller | NXC2500, NXC5500 | V6.00 to V6.10 Patch 1 | V6.10 Patch 2 |
| Managed AP | WAC6100, WAC6500, WAX510D, WAX650S, NWA5120, NWA5301-NJ, NWA1100-NH, WAC5302D-S | V6.00 to V6.10 Patch 1 | V6.10 Patch 2 |
| Standalone AP | WAC6100, WAC6500, WAX510D, WAX650S, NWA5120, NWA5301-NJ, NWA1100-NH, WAC5302D-S | V6.00 to V6.10 Patch 1 | V6.10 Patch 2 |
| Product Series | Model | Affected Firmware Version | Patched Firmware Version |
|---|---|---|---|
| NAS | NAS326, NAS540, NAS542 | V5.21 and earlier | V5.22 |
| NAS | NAS520, NAS540, NAS542 | V5.21 and earlier | V5.22 |
Zyxel recommends users to log into their devices and install the applicable firmware updates for optimal protection. Users can also refer to the security advisories posted on the Zyxel website for more details and instructions.
Zyxel’s Response to Security Issues
Zyxel has been proactive in addressing security issues affecting its products. Earlier this year, the company patched a zero-day vulnerability in its firewall and VPN products that was being exploited by hackers. The vulnerability, tracked as CVE-2023-3509, was an unauthenticated remote command injection via the HTTP interface, affecting Zyxel firewalls supporting Zero Touch Provisioning (ZTP). The vulnerability had a CVSS score of 10, indicating a critical level of severity.
Zyxel also warned its NAS device users to update their firmware to fix a critical severity command injection vulnerability, tracked as CVE-2023-27992, that could be exploited for arbitrary command injection without authentication. The vulnerability affected Zyxel NAS devices running firmware version 5.21 and earlier. The vulnerability had a CVSS score of 9.8, indicating a high level of severity.
Zyxel is committed to providing secure and reliable products and services to its customers. The company has a dedicated security team that monitors and responds to security issues promptly. Zyxel also encourages users to report any security issues or vulnerabilities to security@zyxel.com.tw.
