Zyxel security advisory for multiple vulnerabilities of firewalls and APs
CVE: CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917, CVE-2023-22918
Summary
Zyxel is aware of multiple vulnerabilities in its firewalls and access points (AP) as reported by Positive Technologies and advises users to install the applicable firmware updates for optimal protection.
What are the vulnerabilities?
CVE-2023-22913
A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of some firewall versions could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device. Note that WAN access is disabled by default on the firewall devices.
CVE-2023-22914
A path traversal vulnerability in the “account_print.cgi” CGI program of some firewall versions could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled. Note that WAN access is disabled by default on the firewall devices.
CVE-2023-22915
A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device. Note that WAN access is disabled by default on the firewall devices.
CVE-2023-22916
The configuration parser of some firewall versions fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. Note that WAN access is disabled by default on the firewall devices.
CVE-2023-22917
A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of some firewall versions could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. Note that WAN access is disabled by default on the firewall devices.
CVE-2023-22918
A post-authentication information exposure vulnerability in the CGI program of some firewall and AP versions could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. Note that WAN access is disabled by default on the firewall and AP devices.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.
Table 1. Firewalls affected by CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917, and CVE-2023-22918
| Firewall series | Affected version | Patch availability | |||||
|---|---|---|---|---|---|---|---|
| CVE-2023-22913 | CVE-2023-22914 | CVE-2023-22915 | CVE-2023-22916 | CVE-2023-22917 | CVE-2023-22918 | ||
| ATP | Not affected | Not affected | Not affected | ZLD V5.10~V5.35 | ZLD V5.10~V5.32 | ZLD V4.32~V5.35 | ZLD V5.36 |
| USG FLEX | ZLD V4.50~V5.35 | ZLD V4.50~V5.35 | ZLD V4.50~V5.35 | ZLD V5.00~V5.35 | ZLD V5.00~V5.32 | ZLD V4.50~V5.35 | ZLD V5.36 |
| USG FLEX 50(W) / USG20(W)-VPN | Not affected | Not affected | ZLD V4.30~V5.35 | ZLD V5.10~V5.35 | ZLD V5.10~V5.32 | ZLD V4.16~V5.35 | ZLD V5.36 |
| VPN | ZLD V4.30~V5.35 | ZLD V4.30~V5.35 | ZLD V4.30~V5.35 | ZLD V5.00~V5.35 | ZLD V5.00~V5.35 | ZLD V4.30~V5.35 | ZLD V5.36 |
Table 2. APs affected by CVE-2023-22918
| AP model | Affected version | Patch availability |
|---|---|---|
| NAP203 | 6.28(ABFA.0) and earlier | Hotfix by request* |
| NAP303 | 6.28(ABEX.0) and earlier | Hotfix by request* |
| NAP353 | 6.28(ABEY.0) and earlier | Hotfix by request* |
| NWA110AX | 6.50(ABTG.2) and earlier | 6.55(ABTG.1) |
| NWA1123-AC-PRO | 6.28(ABHD.0) and earlier | Hotfix by request* |
| NWA1123ACv3 | 6.50(ABVT.0) and earlier | 6.55(ABVT.1) |
| NWA210AX | 6.50(ABTD.2) and earlier | 6.55(ABTD.1) |
| NWA220AX-6E | 6.50(ACCO.2) and earlier | 6.55(ACCO.1) |
| NWA50AX | 6.29(ABYW.1) and earlier | Hotfix by request* Standard patch 6.29(ABYW.2) in Oct. 2023 |
| NWA50AX-PRO | 6.50(ACGE.0) and earlier | 6.55(ACGE.1) |
| NWA5123-AC HD | 6.25(ABIM.9) and earlier | Hotfix by request* |
| NWA55AXE | 6.29(ABZL.1) and earlier | Hotfix by request* Standard patch 6.29(ABZL.2) in Oct. 2023 |
| NWA90AX | 6.29(ACCV.1) and earlier | Hotfix by request* Standard patch 6.29(ACCV.2) in Oct. 2023 |
| NWA90AX-PRO | 6.50(ACGF.0) and earlier | 6.55(ACGF.1) |
| WAC500 | 6.50(ABVS.0) and earlier | 6.55(ABVS.1) |
| WAC500H | 6.50(ABWA.0) and earlier | 6.55(ABWA.1) |
| WAC5302D-Sv2 | 6.25(ABVZ.9) and earlier | Hotfix by request* |
| WAC6103D-I | 6.28(AAXH.0) and earlier | Hotfix by request* |
| WAC6303D-S | 6.25(ABGL.9) and earlier | Hotfix by request* |
| WAC6502D-S | 6.28(AASE.0) and earlier | Hotfix by request* |
| WAC6503D-S | 6.28(AASF.0) and earlier | Hotfix by request* |
| WAC6552D-S | 6.28(ABIO.0) and earlier | Hotfix by request* |
| WAC6553D-E | 6.28(AASG.0) and earlier | Hotfix by request* |
| WAX510D | 6.50(ABTF.2) and earlier | 6.55(ABTF.1) |
| WAX610D | 6.50(ABTE.2) and earlier | 6.55(ABTE.1) |
| WAX620D-6E | 6.50(ACCN.2) and earlier | 6.55(ACCN.1) |
| WAX630S | 6.50(ABZD.2) and earlier | 6.55(ABZD.1) |
| WAX640S-6E | 6.50(ACCM.2) and earlier | 6.55(ACCM.1) |
| WAX650S | 6.50(ABRM.2) and earlier | 6.55(ABRM.1) |
| WAX655E | 6.50(ACDO.2) and earlier | 6.55(ACDO.1) |
*Please reach out to your local Zyxel support team for the file.
If an on-market product is not listed above, it is NOT affected.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to Nikita Abramov from Positive Technologies for reporting the issues to us.
Revision history
2023-4-25: Initial release
2023-4-27: Updated the list of affected APs and the patch schedule for NWA50AX and NWA90AX