Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers

CVEs: CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, CVE-2023-34141
Summary

Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection.

What are the vulnerabilities?

CVE-2023-28767

The configuration parser fails to sanitize user-controlled input in some firewall versions. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.

CVE-2023-33011

A format string vulnerability in some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled.

CVE-2023-33012

A command injection vulnerability in the configuration parser of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

CVE-2023-34138

A command injection vulnerability in the hotspot management feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance.

CVE-2023-34139

A command injection vulnerability in the Free Time WiFi hotspot feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device.

CVE-2023-34140

A buffer overflow vulnerability in some firewall and WLAN controller versions could allow an unauthenticated, LAN-based attacker to cause denial of service (DoS) conditions by sending a crafted request to the CAPWAP daemon.

CVE-2023-34141

A command injection vulnerability in the access point (AP) management feature of some firewall and WLAN controller versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the managed AP list in advance.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.


Table 1. Firewalls affected by CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, and CVE-2023-34141

Firewall series Affected version Patch availability
CVE-2023-28767 CVE-2023-33011 CVE-2023-33012 CVE-2023-34138 CVE-2023-34139 CVE-2023-34140 CVE-2023-34141
ATP ZLD V5.10 to V5.36 ZLD V5.10 to V5.36 Patch 2 ZLD V5.10 to V5.36 Patch 2 ZLD V4.60 to V5.36 Patch 2 Not affected ZLD V4.32 to V5.36 Patch 2 ZLD V5.00 to V5.36 Patch 2 ZLD V5.37
USG FLEX ZLD V5.00 to V5.36 ZLD V5.00 to V5.36 Patch 2 ZLD V5.00 to V5.36 Patch 2 ZLD V4.60 to V5.36 Patch 2 ZLD V4.50 to V5.36 Patch 2 ZLD V4.50 to V5.36 Patch 2 ZLD V5.00 to V5.36 Patch 2 ZLD V5.37
USG FLEX 50(W) / USG20(W)-VPN ZLD V5.10 to V5.36 ZLD V5.10 to V5.36 Patch 2 ZLD V5.10 to V5.36 Patch 2 ZLD V4.60 to V5.36 Patch 2 Not affected ZLD V4.16 to V5.36 Patch 2 ZLD V5.00 to V5.36 Patch 2 ZLD V5.37
VPN ZLD V5.00 to V5.36 ZLD V5.00 to V5.36 Patch 2 ZLD V5.00 to V5.36 Patch 2 ZLD V4.60 to V5.36 Patch 2 ZLD V4.20 to V5.36 Patch 2 ZLD V4.30 to V5.36 Patch 2 ZLD V5.00 to V5.36 Patch 2 ZLD V5.37

Table 2. WLAN controllers affected by CVE-2023-34140 and CVE-2023-34141

WLAN controller model Affected version Patch availability
NXC2500 V6.10(AAIG.0) to V6.10(AAIG.3) Hotfix by request*
NXC5500 V6.10(AAOS.0) to V6.10(AAOS.4) Hotfix by request*

*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to the following security consultancies:

  • atdog from TRAPA Security for CVE-2023-28767
  • atdog and Lays from TRAPA Security for CVE-2023-33011 and CVE-2023-33012
  • Lê Hữu Quang Linh from STAR Labs SG for CVE-2023-34138, CVE-2023-34139, and CVE-2023-34141
  • Lê Hữu Quang Linh and Nguyễn Hoàng Thạch from STAR Labs SG for CVE-2023-34140
Revision history

2023-7-18: Initial release.