Pierluigi Paganini December 04, 2023

Zyxel addressed tens of vulnerabilities that expose users to cyber attacks, including command injection and authentication bypass.

Taiwanese vendor Zyxel addressed tens of vulnerabilities in its firewalls and access points. The addressed issues are tracked as CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960.

Threat actors can exploit the vulnerabilities to steal cookies, access configuration files, carry out command injection and denial-of-service attacks.

Below is the list of vulnerabilities fixed by the company:

• CVE-2023-35136 – An improper input validation vulnerability in the “Quagga” package of some firewall versions could allow an authenticated local attacker to access configuration files on an affected device.
• CVE-2023-35139 – A cross-site scripting (XSS) vulnerability in the CGI program of some firewall versions could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.
• CVE-2023-37925 – An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access system files on an affected device.
• CVE-2023-37926 – A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.
• CVE-2023-4397 – A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker with administrator privileges to cause DoS conditions by executing the CLI command with crafted strings on an affected device.
• CVE-2023-4398 – An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions on an affected device by sending a crafted IKE packet.
• CVE-2023-5650 – An improper privilege management vulnerability in the ZySH of some firewall versions could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.
• CVE-2023-5797 – An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access the administrator’s logs on an affected device.
• CVE-2023-5960 – An improper privilege management vulnerability in the hotspot feature of some firewall versions could allow an authenticated local attacker to access the system files on an affected device.

Zyxel also addressed authentication bypass and command injection vulnerabilities in NAS (network attached storage) NAS226 and NAS542.

Below is the list of the NAS flaws fixed by the vendor:

• CVE-2023-35137 – An improper authentication vulnerability in the authentication module in Zyxel NAS devices could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.
• CVE-2023-35138 – A command injection vulnerability in the “show_zysync_server_contents” function in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
• CVE-2023-37927 – The improper neutralization of special elements in the CGI program in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.
• CVE-2023-37928 – A post-authentication command injection vulnerability in the WSGI server in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.
• CVE-2023-4473 – A command injection vulnerability in the web server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.
• CVE-2023-4474 – The improper neutralization of special elements in the WSGI server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NAS)