Zyxel security advisory for multiple vulnerabilities in firewalls
CVEs: CVE-2024-6343, CVE-2024-7203, CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, CVE-2024-42061
Summary
Zyxel has released patches addressing multiple vulnerabilities in some firewall versions. Users are advised to install the patches for optimal protection.
What are the vulnerabilities?
CVE-2024-6343
A buffer overflow vulnerability in the CGI program of some firewall versions could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.
CVE-2024-7203
A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.
CVE-2024-42057
A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.
CVE-2024-42058
A null pointer dereference vulnerability in some firewall versions could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.
CVE-2024-42059
A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.
CVE-2024-42060
A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.
CVE-2024-42061
A reflected cross-site scripting (XSS) vulnerability in the CGI program “dynamic_script.cgi” of some firewall versions could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the table below.
| Firewall series | Affected version | Patch availability | ||||||
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6343 | CVE-2024-7203 | CVE-2024-42057 | CVE-2024-42058 | CVE-2024-42059 | CVE-2024-42060 | CVE-2024-42061 | ||
| ATP | ZLD V4.32 to V5.38 | ZLD V4.60 to V5.38 | ZLD V4.32 to V5.38 | ZLD V4.32 to V5.38 | ZLD V5.00 to V5.38 | ZLD V4.32 to V5.38 | ZLD V4.32 to V5.38 | ZLD V5.39 | 
| USG FLEX | ZLD V4.50 to V5.38 | ZLD V4.60 to V5.38 | ZLD V4.50 to V5.38 | ZLD V4.50 to V5.38 | ZLD V5.00 to V5.38 | ZLD V4.50 to V5.38 | ZLD V4.50 to V5.38 | ZLD V5.39 | 
| USG FLEX 50(W)/USG20(W)-VPN | ZLD V4.16 to V5.38 | Not affected | ZLD V4.16 to V5.38 | ZLD V4.20 to V5.38 | ZLD V5.00 to V5.38 | ZLD V4.16 to V5.38 | ZLD V4.16 to V5.38 | ZLD V5.39 | 
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers and consultancies:
- Nanyu Zhong and Jinwei Dong from VARAS@IIE for CVE-2024-6343
- Alessandro Sgreccia and Manuel Roccon from HackerHood for CVE-2024-7203
- nella17 from DEVCORE for CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, CVE-2024-42060, and CVE-2024-42061
Revision history
2024-9-3: Initial release
