Pierluigi Paganini
June 04, 2023
Zyxel has published guidance for protecting firewall and VPN devices from ongoing attacks exploiting CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 vulnerabilities.
“Simultaneously, Zyxel has been urging users to install the patches through multiple channels, including issuing several security advisory newsletters to registered users and advisory subscribers; notifying users to upgrade via the Web GUI’s push notification for on-premises devices; and enforcing scheduled firmware upgrades for cloud-based devices that haven’t yet done so.” reads the guidance published by the vendor.
Threat actors are actively attempting to exploit the command injection vulnerability CVE-2023-28771 impacting Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems. US CISA added the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.
In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices. The company promptly advised customers to install the provided patches in order to mitigate the vulnerability.
The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.
The other two issues, tracked as CVE-2023-33009 and CVE-2023-33010, are critical buffer overflow vulnerabilities. A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.
The company states that devices under attack become unresponsive and their Web GUI or SSH management interface are not reachable.
Symptoms of attacks include network interruptions and VPN connections disconnecting.
The following table includes products and firmware versions affected by these flaws and the latest firmware updates addressing the issues.
| Affected series | Affected versions for CVE 2023 28771 | Affected versions for CVE 2023 33009/CVE 2023 33010 | Latest firmware |
|---|---|---|---|
| ATP | ZLD V4.60 to V5.35 | ZLD V4.32 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
| USG FLEX | ZLD V4.60 to V5.35 | ZLD V4.50 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
| USG FLEX50(W) / USG20(W)-VPN | N/A | ZLD V4.25 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
| VPN | ZLD V4.60 to V5.35 | ZLD V4.30 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
| ZyWALL/USG | ZLD V4.60 to V4.73 | ZLD V4.25 to V4.73 Patch 1 | ZLD V4.73 Patch 2 |
Zyxel also provides mitigation measures for these vulnerabilities such as disabling HTTP/HTTPS services from WAN (Wide Area Network).
If admins need to manage devices from the WAN side, enable Policy Control and add rules to only allow access from trusted source IP addresses. The guidance also recommends enabling GeoIP filtering to only allow access from trusted locations.
Zyxel also recommends disabling UDP Port 500 and Port 4500 if there is no requirement for the IPSec VPN function
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, firewall)
