Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771 (CVSS score 9.8), impacting Zyxel Firewall.
The vulnerability is an improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted packets to a vulnerable device and execute some OS commands remotely.
Zyxel has released security patches to address the vulnerability and urges customers to install them.
“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.” reads the advisory published by the vendor.
The company also fixed a high-severity post-authentication command injection issue (CVE-2023-27991, CVSS score: 8.8) affecting some specific firewall versions.
The vulnerability resides in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35. The vulnerability can be exploited by a remote, authenticated attacker to execute some OS commands.
The last vulnerability addressed by the company is an XSS vulnerability, tracked as CVE-2023-27990, that affects some firewall versions.
“The XSS vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device.” reads the advisory published by the vendor. “A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.”
Both CVE-2023-27990 and CVE-2023-27991 were reported by Alessandro Sgreccia from Tecnical Service SRL.
Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zyxel firewalls)