Zyxel security advisory for multiple vulnerabilities of firewalls, AP controllers, and APs

CVEs: CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, CVE-2022-0910

 

Summary

Zyxel is aware of multiple vulnerabilities reported by security consultancies and advises users to install the applicable firmware updates for optimal protection.

 

What are the vulnerabilities?

CVE-2022-0734

A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.

CVE-2022-26531

Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a locally authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.

CVE-2022-26532

A command injection vulnerability in the "packet-trace" CLI command of some firewall, AP controller, and AP versions could allow a locally authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.

CVE-2022-0910

An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

 

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the CVEs, as shown in the tables below.

 

Table 1. Firewalls affected by CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, and CVE-2022-0910

Firewall Affected version Patch availability
CVE-2022-0734 CVE-2022-26531 CVE-2022-26532 CVE-2022-0910
USG/ZyWALL ZLD V4.35~V4.70 ZLD V4.09~V4.71 ZLD V4.09~V4.71 ZLD V4.32~V4.71 ZLD V4.72
USG FLEX ZLD V4.50~V5.20 ZLD V4.50~V5.21 ZLD V4.50~V5.21 ZLD V4.50~V5.21 ZLD V5.30
ATP ZLD V4.35~V5.20 ZLD V4.32~V5.21 ZLD V4.32~V5.21 ZLD V4.32~V5.21 ZLD V5.30
VPN ZLD V4.35~V5.20 ZLD V4.30~V5.21 ZLD V4.30~V5.21 ZLD V4.32~V5.21 ZLD V5.30
NSG Not affected V1.00~V1.33 Patch 4 V1.00~V1.33 Patch 4 Not affected V1.33 Patch 5 through Nebula Upgrade

 

Table 2. AP controllers affected by CVE-2022-26531 and CVE-2022-26532

AP Controller Affected version Patch availability
CVE-2022-26531 and CVE-2022-26532
NXC2500 6.10(AAIG.3) and earlier Download
NXC5500 6.10(AAOS.3) and earlier Download

Table 3. APs affected by CVE-2022-26531 and CVE-2022-26532
[Download from Download Libary]

AP Affected version Patch availability
CVE-2022-26531 and CVE-2022-26532
NAP203 6.25(ABFA.7) and earlier 6.25(ABFA.8)
NAP303 6.25(ABEX.7) and earlier 6.25(ABEX.8)
NAP353 6.25(ABEY.7) and earlier 6.25(ABEY.8)
NWA50AX 6.25(ABYW.5) and earlier 6.25(ABYW.8)
NWA55AXE 6.25(ABZL.5) and earlier 6.25(ABZL.8)
NWA90AX 6.27(ACCV.2) and earlier 6.27(ACCV.3)
NWA110AX 6.30(ABTG.2) and earlier 6.30(ABTG.3)
NWA210AX 6.30(ABTD.2) and earlier 6.30(ABTD.3)
NWA1123-AC-HD 6.25(ABIN.6) and earlier 6.25(ABIN.8)
NWA1123-AC-PRO 6.25(ABHD.7) and earlier 6.25(ABHD.8)
NWA1123ACv3 6.30(ABVT.2) and earlier 6.30(ABVT.3)
NWA1302-AC 6.25(ABKU.6) and earlier 6.25(ABKU.8)
NWA5123-AC-HD 6.25(ABIM.6) and earlier 6.25(ABIM.8)
WAC500H 6.30(ABWA.2) and earlier 6.30(ABWA.3)
WAC500 6.30(ABVS.2) and earlier 6.30(ABVS.3)
WAC5302D-S 6.10(ABFH.10) and earlier Download
WAC5302D-Sv2 6.25(ABVZ.6) and earlier 6.25(ABVZ.8)
WAC6103D-I 6.25(AAXH.7) and earlier 6.25(AAXH.8)
WAC6303D-S 6.25(ABGL.6) and earlier 6.25(ABGL.8)
WAC6502D-E 6.25(AASD.7) and earlier 6.25(AASD.8)
WAC6502D-S 6.25(AASE.7) and earlier 6.25(AASE.8)
WAC6503D-S 6.25(AASF.7) and earlier 6.25(AASF.8)
WAC6553D-E 6.25(AASG.7) and earlier 6.25(AASG.8)
WAC6552D-S 6.25(ABIO.7) and earlier 6.25(ABIO.8)
WAX510D 6.30(ABTF.2) and earlier 6.30(ABTF.3)
WAX610D 6.30(ABTE.2) and earlier 6.30(ABTE.3)
WAX630S 6.30(ABZD.2) and earlier 6.30(ABZD.3)
WAX650S 6.30(ABRM.2) and earlier 6.30(ABRM.3)

 

Got a question?

Please contact us, if need further assistance!

 

Acknowledgment

Thanks to the following security consultancies for reporting the issues to us:

  • Riccardo Krauter at Soter IT Security for CVE-2022-0734
  • HN Security for CVE-2022-26531 and CVE-2022-26532
  • Ascend PC for CVE-2022-0910

 

Revision history

2022-05-24: Initial release

Articles in this section

Was this article helpful?
0 out of 1 found this helpful
Share