Zyxel security advisory for multiple vulnerabilities in firewalls and APs
CVEs: CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960
Summary
Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection.
What are the vulnerabilities?
CVE-2023-35136
An improper input validation vulnerability in the “Quagga” package of some firewall versions could allow an authenticated local attacker to access configuration files on an affected device.
CVE-2023-35139
A cross-site scripting (XSS) vulnerability in the CGI program of some firewall versions could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.
CVE-2023-37925
An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access system files on an affected device.
CVE-2023-37926
A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.
CVE-2023-4397
A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker with administrator privileges to cause DoS conditions by executing the CLI command with crafted strings on an affected device.
CVE-2023-4398
An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions on an affected device by sending a crafted IKE packet.
CVE-2023-5650
An improper privilege management vulnerability in the ZySH of some firewall versions could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.
CVE-2023-5797
An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access the administrator’s logs on an affected device.
CVE-2023-5960
An improper privilege management vulnerability in the hotspot feature of some firewall versions could allow an authenticated local attacker to access the system files on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.
Table 1. Firewalls affected by CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960
| Firewall series | Affected version | Patch availability | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-35136 | CVE-2023-35139 | CVE-2023-37925 | CVE-2023-37926 | CVE-2023-4397 | CVE-2023-4398 | CVE-2023-5650 | CVE-2023-5797 | CVE-2023-5960 | ||
| ATP | ZLD V4.32 to V5.37 | ZLD V5.10 to V5.37 | ZLD V4.32 to V5.37 | ZLD V4.32 to V5.37 | ZLD V5.37 | ZLD V4.32 to V5.37 | ZLD V4.32 to V5.37 | ZLD V4.32 to V5.37 | Not affected | ZLD V5.37 Patch 1 |
| USG FLEX | ZLD V4.50 to V5.37 | ZLD V5.00 to V5.37 | ZLD V4.50 to V5.37 | ZLD V4.50 to V5.37 | ZLD V5.37 | ZLD V4.50 to V5.37 | ZLD V4.50 to V5.37 | ZLD V4.50 to V5.37 | ZLD V4.50 to V5.37 | ZLD V5.37 Patch 1 |
| USG FLEX 50(W) / USG20(W)-VPN | ZLD V4.16 to V5.37 | ZLD V5.10 to V5.37 | ZLD V4.16 to V5.37 | ZLD V4.16 to V5.37 | ZLD V5.37 | ZLD V4.16 to V5.37 | ZLD V4.16 to V5.37 | ZLD V4.16 to V5.37 | Not affected | ZLD V5.37 Patch 1 |
| VPN | ZLD V4.30 to V5.37 | ZLD V5.00 to V5.37 | ZLD V4.30 to V5.37 | ZLD V4.30 to V5.37 | Not affected | ZLD V4.30 to V5.37 | ZLD V4.30 to V5.37 | ZLD V4.30 to V5.37 | ZLD V4.30 to V5.37 | ZLD V5.37 Patch 1 |
Table 2. APs affected by CVE-2023-37925 and CVE-2023-5797
| AP model | Affected version | Patch availability |
|---|---|---|
| NWA50AX | 6.29(ABYW.2) and earlier | Hotfix by request* Standard patch 6.80(ABYW.0) in July 2024 |
| NWA50AX-PRO | 6.65(ACGE.1) and earlier | Hotfix by request* Standard patch 6.80(ACGE.0) in July 2024 |
| NWA55AXE | 6.29(ABZL.2) and earlier | Hotfix by request* Standard patch 6.80(ABZL.0) in July 2024 |
| NWA90AX | 6.29(ACCV.2) and earlier | Hotfix by request* Standard patch 6.80(ACCV.0) in July 2024 |
| NWA90AX-PRO | 6.65(ACGF.1) and earlier | Hotfix by request* Standard patch 6.80(ACGF.0) in July 2024 |
| NWA110AX | 6.65(ABTG.1) and earlier | Hotfix by request* Standard patch 6.70(ABTG.0) in January 2024 |
| NWA210AX | 6.65(ABTD.1) and earlier | Hotfix by request* Standard patch 6.70(ABTD.0) in January 2024 |
| NWA220AX-6E | 6.65(ACCO.1) and earlier | Hotfix by request* Standard patch 6.70(ACCO.0) in January 2024 |
| NWA1123ACv3 | 6.65(ABVT.1) and earlier | Hotfix by request* Standard patch 6.70(ABVT.0) in January 2024 |
| WAC500 | 6.65(ABVS.1) and earlier | Hotfix by request* Standard patch 6.70(ABVS.0) in January 2024 |
| WAC500H | 6.65(ABWA.1) and earlier | Hotfix by request* Standard patch 6.70(ABWA.0) in January 2024 |
| WAX300H | 6.60(ACHF.1) and earlier | Hotfix by request* Standard patch 6.70(ACHF.0) in January 2024 |
| WAX510D | 6.65(ABTF.1) and earlier | Hotfix by request* Standard patch 6.70(ABTF.0) in January 2024 |
| WAX610D | 6.65(ABTE.1) and earlier | Hotfix by request* Standard patch 6.70(ABTE.0) in January 2024 |
| WAX620D-6E | 6.65(ACCN.1) and earlier | Hotfix by request* Standard patch 6.70(ACCN.0) in January 2024 |
| WAX630S | 6.65(ABZD.1) and earlier | Hotfix by request* Standard patch 6.70(ABZD.0) in January 2024 |
| WAX640S-6E | 6.65(ACCM.1) and earlier | Hotfix by request* Standard patch 6.70(ACCM.0) in January 2024 |
| WAX650S | 6.65(ABRM.1) and earlier | Hotfix by request* Standard patch 6.70(ABRM.0) in January 2024 |
| WAX655E | 6.65(ACDO.1) and earlier | Hotfix by request* Standard patch 6.70(ACDO.0) in January 2024 |
| WBE660S | 6.65(ACGG.1) and earlier | Hotfix by request* Standard patch 6.70(ACGG.0) in January 2024 |
*Please reach out to your local Zyxel support team for the file.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers and consultancies:
- Lê Hữu Quang Linh from STAR Labs SG for CVE-2023-35136
- Christopher Leech for CVE-2023-35139
- Alessandro Sgreccia from HackerHood for CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960
- Lays and atdog from TRAPA Security for CVE-2023-4398
Revision history
2023-11-28: Initial release.