Zyxel security advisory for multiple buffer overflow vulnerabilities of firewalls
CVEs: CVE-2023-33009, CVE-2023-33010
Summary
Zyxel has released patches for firewalls affected by multiple buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2023-33009
A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
CVE-2023-33010
A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable firewall series that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.
Affected series | Affected version for CVE-2023-33009 | Affected version for CVE-2023-33010 | Patch availability |
---|---|---|---|
ATP | ZLD V4.60 to V5.36 Patch 1 | ZLD V4.32 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
USG FLEX | ZLD V4.60 to V5.36 Patch 1 | ZLD V4.50 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
USG FLEX50(W) / USG20(W)-VPN | ZLD V4.60 to V5.36 Patch 1 | ZLD V4.25 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
VPN | ZLD V4.60 to V5.36 Patch 1 | ZLD V4.30 to V5.36 Patch 1 | ZLD V5.36 Patch 2 |
ZyWALL/USG | ZLD V4.60 to V4.73 Patch 1 | ZLD V4.25 to V4.73 Patch 1 | ZLD V4.73 Patch 2 |
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security consultancies:
- Lays and atdog from TRAPA Security, followed by
- STAR Labs SG
Revision history
2023-5-24: Initial release.
2023-6-15: Modified the affected firmware versions