[SA] Zyxel Security Advisory - security advisory for multiple vulnerabilities in firewalls

CVEs:CVE-2024-6343CVE-2024-7203CVE-2024-42057, CVE-2024-42058CVE-2024-42059CVE-2024-42060CVE-2024-42061

Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall versions. Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2024-6343

A buffer overflow vulnerability in the CGI program of some firewall versions could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2024-7203

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

CVE-2024-42057

A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

CVE-2024-42058

A null pointer dereference vulnerability in some firewall versions could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.

CVE-2024-42059

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVE-2024-42060

A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.

CVE-2024-42061

A reflected cross-site scripting(XSS) vulnerability in the CGI program “dynamic_script.cgi” of some firewall versions could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the table below.

  Affected version  

Firewall

series

CVE-2024-6343 CVE-2024-7203 CVE-2024-42057 CVE-2024-42058 CVE-2024-42059 CVE-2024-42060 CVE-2024-42061

Patch

availability

ATP ZLD V4.32 to V5.38 ZLD V4.60 to V5.38 ZLD V4.32 to V5.38 ZLD V4.32 to V5.38 ZLD V5.00 to V5.38 ZLD V4.32 to V5.38 ZLD V4.32 to V5.38 ZLD V5.39
USG FLEX ZLD V4.50 to V5.38 ZLD V4.60 to V5.38 ZLD V4.50 to V5.38 ZLD V4.50 to V5.38 ZLD V5.00 to V5.38 ZLD V4.50 to V5.38 ZLD V4.50 to V5.38 ZLD V5.39

USG FLEX 50(W)/

USG20(W)-VPN

ZLD V4.16 to V5.38 Not affected ZLD V4.16 to V5.38 ZLD V4.20 to V5.38 ZLD V5.00 to V5.38 ZLD V4.16 to V5.38 ZLD V4.16 to V5.38 ZLD V5.39

Do you have a question?

Please get in touch with your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgement

Thanks to the following security researchers and consultancies:

  • Nanyu Zhong and Jinwei Dong from VARAS@IIE for CVE-2024-6343
  • Alessandro Sgreccia and Manuel Roccon from HackerHood for CVE-2024-7203
  • nella17 from DEVCORE for CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, and CVE-2024-42061

Revision history

2024-9-3: Initial release
 

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.