Zyxel security advisory for multiple buffer overflow vulnerabilities of firewalls
CVEs: CVE-2023-33009, CVE-2023-33010
Zyxel has released patches for firewalls affected by multiple buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable firewall series that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.
|Affected series||Affected version for CVE-2023-33009||Affected version for CVE-2023-33010||Patch availability|
|ATP||ZLD V4.60 to V5.36 Patch 1||ZLD V4.32 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|USG FLEX||ZLD V4.60 to V5.36 Patch 1||ZLD V4.50 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|USG FLEX50(W) / USG20(W)-VPN||ZLD V4.60 to V5.36 Patch 1||ZLD V4.25 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|VPN||ZLD V4.60 to V5.36 Patch 1||ZLD V4.30 to V5.36 Patch 1||ZLD V5.36 Patch 2|
|ZyWALL/USG||ZLD V4.60 to V4.73 Patch 1||ZLD V4.25 to V4.73 Patch 1||ZLD V4.73 Patch 2|
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Thanks to the following security consultancies:
- Lays and atdog from TRAPA Security, followed by
- STAR Labs SG
2023-5-24: Initial release.
2023-6-15: Modified the affected firmware versions