[SA] Security Advisory - Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices

Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices

CVEs: CVE-2023-37929, CVE-2024-0816

Summary

Zyxel has released patches for some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices affected by buffer overflow vulnerabilities. Users are advised to install them for optimal protection.

What are the vulnerabilities?

CVE-2023-37929

This buffer overflow vulnerability in the CGI program of some DSL/Ethernet CPE, WiFi extender, and home router devices could allow an authenticated remote attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2024-0816

This buffer overflow vulnerability in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices could allow an authenticated local attacker to cause DoS conditions by executing the CLI command with crafted strings on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerabilities, as shown in the tables below.

Table 1. Models affected by CVE-2023-37929

Product Affected model Affected version Patch availability*
DSL/Ethernet CPE DX3300-T1 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
DX3301-T0 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
DX4510 V5.17(ABYL.5)C0 V5.17(ABYL.6)C0
DX5401-B0 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
DX5401-B1 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
EMG3525-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.1)C0
EMG5523-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.1)C0
EMG5723-T50K V5.50(ABOM.8.2)C0 V5.50(ABOM.8.3)C0
EX3300-T1 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
EX3301-T0 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
EX3500-T0 V5.44(ACHR.0)C0 V5.44(ACHR.1)C0
EX3501-T0 V5.44(ACHR.0)C0 V5.44(ACHR.1)C0
EX3510 V5.17(ABUP.9)C0 V5.17(ABUP.11)C0
EX5401-B0 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
EX5401-B1 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
EX5501-B0 V5.17(ABRY.4)C0 V5.17(ABRY.5)C0
EX5510 V5.17(ABQX.8)C0 V5.17(ABQX.9)C0
EX5512-T0 V5.70(ACEG.2)C0 V5.70(ACEG.3)C0
EX5600-T1 V5.70(ACDZ.2)C0 V5.70(ACDZ.2.4)C0
EX5601-T0 V5.70(ACDZ.2)C0 V5.70(ACDZ.2.4)C0
EX5601-T1 V5.70(ACDZ.2)C0 V5.70(ACDZ.2.4)C0
EX7710-B0 V5.18(ACAK.0)C0 V5.18(ACAK.1)C0
VMG3625-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.1)C0
VMG3927-T50K V5.50(ABOM.8.2)C0 V5.50(ABOM.8.3)C0
VMG8623-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.1)C0
VMG8825-T50K V5.50(ABOM.8.2)C0 V5.50(ABOM.8.3)C0
Fiber ONT AX7501-B0 V5.17(ABPC.4)C0 V5.17(ABPC.4.1)C0
AX7501-B1 V5.17(ABPC.4)C0 V5.17(ABPC.4.1)C0
WiFi extender WX3100-T0 V5.50(ABVL.3)C0 V5.50(ABVL.4)C0
WX5600-T0 V5.70(ACEB.2)C0 V5.70(ACEB.2.2)C0
WX5610-B0 V5.18(ACGJ.0)C0 V5.18(ACGJ.0)C1
Home router NBG7510 V1.00(ABZY.5)C0 V1.00(ABZY.6)C0

*Please reach out to your local Zyxel support team for the file.

Table 2. Models affected by CVE-2024-0816

Product Affected model Affected version Patch availability*
5G NR/4G LTE CPE LTE3202-M437 V1.00(ABWF.3)C0

Hotfix is available

Standard patch V1.00(ABWF.4)C0 in August 2024

LTE3301-Plus V1.00(ABQU.5)C0

Hotfix is available

Standard patch V1.00(ABQU.6)C0 in August 2024

LTE5388-M804 V1.00(ABSQ.4)C0

Hotfix is available

Standard patch V1.00(ABSQ.5)C0 in August 2024

LTE5398-M904 V1.00(ABQV.4)C0

Hotfix is available

Standard patch V1.00(ABQV.5)C0 in August 2024

LTE7240-M403 V2.00(ABMG.7)C0

Hotfix is available

Standard patch V2.00(ABMG.8)C0 in August 2024

LTE7480-M804 V1.00(ABRA.8)C0

Hotfix is available

Standard patch V1.00(ABRA.9)C0 in August 2024

LTE7490-M904 V1.00(ABQY.7)C0

Hotfix is available

Standard patch V1.00(ABQY.8)C0 in August 2024

NR5103 V4.19(ABYC.5)C0

Hotfix is available

Standard patch V4.19(ABYC.6)C0 in August 2024

NR5103E V1.00(ACDJ.1)b3

Hotfix is available

Standard patch V1.00(ACDJ.2)C0 in August 2024

NR5103EV2 V1.00(ACIQ.0)C0

Hotfix is available

Standard patch V1.00(ACIQ.1)C0 in August 2024

NR5307 V1.00(ACJT.0)b4

Hotfix is available

Standard patch V1.00(ACJT.0)C0 in August 2024

NR7101 V1.00(ABUV.9)C0

Hotfix is available

Standard patch V1.00(ABUV.10)C0 in August 2024

NR7102 V1.00(ABYD.2)C0

Hotfix is available

Standard patch V1.00(ABYD.3)C0 in August 2024

NR7103 V1.00(ACCZ.2)C0

Hotfix is available

Standard patch V1.00(ACCZ.3)C0 in August 2024

NR7302 V1.00(ACHA.2)C0

Hotfix is available

Standard patch V1.00(ACHA.3)C0 in August 2024

NR7303 V1.00(ACEI.0)C0

Hotfix is available

Standard patch V1.00(ACEI.1)C0 in August 2024

NR7501 V1.00(ACEH.0)C0

Hotfix is available

Standard patch V1.00(ACEH.1)C0 in August 2024

Nebula FWA505 V1.18(ACKO.1)C0

Hotfix is available

Standard patch V1.18(ACKO.2)C0 in July 2024

Nebula FWA510 V1.18(ACGD.1)C0

Hotfix is available

Standard patch V1.18(ACGD.2)C0 in July 2024

Nebula FWA710 V1.17(ACGC.0)C0

Hotfix is available

Standard patch V1.18(ACGC.2) in July 2024

Nebula LTE3301-PLUS V1.17(ACCA.0)C0

Hotfix is available

Standard patch V1.18(ACCA.2)C0 in July 2024

Nebula LTE7461-M602 V1.15(ACEV.3)C0 Hotfix is available
Nebula NR5101 V1.16(ACCG.0)C0 Hotfix is available
Nebula NR7101 V1.16(ACCC.0)C0 Hotfix is available
DSL/Ethernet CPE DX3300-T1 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
DX3301-T0 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
DX4510 V5.17(ABYL.6)C0 V5.17(ABYL.7)C0
DX5401-B0 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
DX5401-B1 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
EMG3525-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.3)C0
EMG5523-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.3)C0
EMG5723-T50K V5.50(ABOM.8.2)C0 V5.50(ABOM.8.3)C0
EX3300-T1 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
EX3301-T0 V5.50(ABVY.4)C0 V5.50(ABVY.4.2)C0
EX3320-T0 V5.71(YAK.2)D0 V5.71(YAK.3)D0
EX3320-T1 V5.71(YAP.0)C0 V5.71(YAP.1)C0
EX3500-T0 V5.44(ACHR.0)C0 V5.44(ACHR.1)C0
EX3501-T0 V5.44(ACHR.0)C0 V5.44(ACHR.1)C0
EX3510 V5.17(ABUP.11)C0 V5.17(ABUP.12)C0
EX5401-B0 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
EX5401-B1 V5.17(ABYO.5)C0 V5.17(ABYO.5.1)C0
EX5501-B0 V5.17(ABRY.4)C0 V5.17(ABRY.5)C0
EX5510 V5.17(ABQX.9)C0 V5.17(ABQX.10)C0
EX5512-T0 V5.70(ACEG.2)C0 V5.70(ACEG.3)C0
EX5600-T1 V5.70(ACDZ.2)C0 V5.70(ACDZ.2.4)C0
EX5601-T0 V5.70(ACDZ.2)C0 V5.70(ACDZ.2.4)C0
EX5601-T1 V5.70(ACDZ.2)C0 V5.70(ACDZ.2.4)C0
EX7710-B0 V5.18(ACAK.0)C0 V5.18(ACAK.1)C0
VMG3625-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.3)C0
VMG3927-T50K V5.50(ABOM.8.2)C0 V5.50(ABOM.8.3)C0
VMG4005-B50A V5.17(ABQA.2)C0 V5.17(ABQA.2.1)C0
VMG4005-B60A V5.17(ABQA.2)C0 V5.17(ABQA.2.1)C0
VMG8623-T50B V5.50(ABPM.8)C0 V5.50(ABPM.8.3)C0
VMG8825-T50K V5.50(ABOM.8.2)C0 V5.50(ABOM.8.3)C0
Fiber ONT AX7501-B0 V5.17(ABPC.4)C0 V5.17(ABPC.4.1)C0
AX7501-B1 V5.17(ABPC.4)C0 V5.17(ABPC.4.1)C0
PM3100-T0 V5.42(ACBF.1.2)C0 V5.42(ACBF.2)C0
PM5100-T0 V5.42(ACBF.1.2)C0 V5.42(ACBF.2)C0
PM7300-T0 V5.42(ABYY.1)C0 V5.42(ABYY.2.1)C0
PX3321-T1 V5.44(ACJB.0)C0 V5.44(ACJB.1)C0
WiFi extender WX3100-T0 V5.50(ABVL.3)C0 V5.50(ABVL.4.1)C0
WX3401-B0 V5.17(ABVE.2)C0 V5.17(ABVE.2.4)C0
WX5600-T0 V5.70(ACDZ.2)C0 V5.70(ACEB.2.2)C0
WX5610-B0 V5.18(ACGJ.0)C0 V5.18(ACGJ.0)C1
Home router NBG7510 V1.00(ABZY.6)C0 V1.00(ABZY.7)C0

*Please reach out to your local Zyxel support team for the file.

Please note that the tables do NOT include customized models for internet service providers (ISPs).

For ISPs, please contact your Zyxel sales or service representatives for further details.

For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.

For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel’s Community for further assistance.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers:

  • Xingyu Xu from the Institute of Software, Chinese Academy of Sciences (ISCAS) for CVE-2023-37929
  • Marko Silokunnas from Telia Company for CVE-2024-0816

Revision history

2024-5-21: Initial release.

Articles in this section

Was this article helpful?
0 out of 1 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.