Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions

CVE: CVE-2024-38266, CVE-2024-38267, CVE-2024-38268, CVE-2024-38269
Summary

Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection.

What are the vulnerabilities?

CVE-2024-38266

An improper restriction of operations within the bounds of a memory buffer in the parameter type parser of some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-38267

An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-38268

An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-38269

An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products within their vulnerability support period and released firmware patches to address the vulnerabilities, as shown in the table below. Note that if an on-market product is not listed in the table, it is NOT affected.


Product Affected model Affected version Patch availability
DSL/Ethernet CPE DX3300-T0 5.50(ABVY.5)C0 and earlier 5.50(ABVY.5.3)C0*
DX3300-T1 5.50(ABVY.5)C0 and earlier 5.50(ABVY.5.3)C0*
DX3301-T0 5.50(ABVY.5)C0 and earlier 5.50(ABVY.5.3)C0*
DX4510-B0 5.17(ABYL.6)C0 and earlier 5.17(ABYL.7)C0*
DX4510-B1 5.17(ABYL.6)C0 and earlier 5.17(ABYL.7)C0*
DX5401-B0 5.17(ABYO.6)C0 and earlier 5.17(ABYO.6.2)C0*
DX5401-B1 5.17(ABYO.6)C0 and earlier 5.17(ABYO.6.2)C0*
EX3300-T0 5.50(ABVY.5)C0 and earlier 5.50(ABVY.5.3)C0*
EX3300-T1 5.50(ABVY.5)C0 and earlier 5.50(ABVY.5.3)C0*
EX3301-T0 5.50(ABVY.5)C0 and earlier 5.50(ABVY.5.3)C0*
EX3500-T0 5.44(ACHR.1)C0 and earlier 5.44(ACHR.2)C0*
EX3501-T0 5.44(ACHR.1)C0 and earlier 5.44(ACHR.2)C0*
EX3510-B0 5.17(ABUP.11)C0 and earlier 5.17(ABUP.12)C0*
EX3510-B1 5.17(ABUP.11)C0 and earlier 5.17(ABUP.12)C0*
EX3600-T0 5.70(ACIF.0.2)C0 and earlier 5.70(ACIF.0.3)C0*
EX5401-B0 5.17(ABYO.6)C0 and earlier 5.17(ABYO.6.2)C0*
EX5401-B1 5.17(ABYO.6)C0 and earlier 5.17(ABYO.6.2)C0*
EX5510-B0 5.17(ABQX.9)C0 and earlier 5.17(ABQX.10)C0*
EX5512-T0 5.70(ACEG.3)C1 and earlier 5.70(ACEG.3)C2*
EX5601-T0 5.70(ACDZ.3)C0 and earlier 5.70(ACDZ.3.2)C0*
EX5601-T1 5.70(ACDZ.3)C0 and earlier 5.70(ACDZ.3.2)C0*
EX7501-B0 5.18(ACHN.1)C0 and earlier 5.18(ACHN.1.2)C0*
EX7710-B0 5.18(ACAK.1)C0 and earlier 5.18(ACAK.1)C1*
EMG3525-T50B 5.50(ABPM.9)C0 and earlier 5.50(ABPM.9.2)C0*
EMG5523-T50B 5.50(ABPM.9)C0 and earlier 5.50(ABPM.9.2)C0*
EMG5723-T50K 5.50(ABOM.8)C0 and earlier 5.50(ABOM.8.4)C0*
VMG3625-T50B 5.50(ABPM.9)C0 and earlier 5.50(ABPM.9.2)C0*
VMG3927-T50K 5.50(ABOM.8)C0 and earlier 5.50(ABOM.8.4)C0*
VMG4005-B50A 5.17(ABQA.2)C0 and earlier 5.17(ABQA.2.2)C0*
VMG4005-B60A 5.17(ABQA.2)C0 and earlier 5.17(ABQA.2.2)C0*
VMG8623-T50B 5.50(ABPM.9)C0 and earlier 5.50(ABPM.9.2)C0*
VMG8825-T50K 5.50(ABOM.8)C0 and earlier
Customized: 5.50(ABPY.1)b24 and earlier
5.50(ABOM.8.4)C0*
Customized: 5.50(ABPY.1)b25*
Fiber ONT AX7501-B0 5.17(ABPC.5)C0 and earlier 5.17(ABPC.5.2)C0*
AX7501-B1 5.17(ABPC.5)C0 and earlier 5.17(ABPC.5.2)C0*
PM3100-T0 5.42(ACBF.2)C0 and earlier 5.42(ACBF.2.1)C0*
PM5100-T0 5.42(ACBF.2)C0 and earlier 5.42(ACBF.2.1)C0*
PM7300-T0 5.42(ABYY.2.1)C0 and earlier 5.42(ABYY.2.2)C0*
PX3321-T1 5.44(ACJB.0)C0 and earlier 5.44(ACJB.1)C0*
Security router SCR50AXE 1.10(ACGN.2)C0 and earlier 1.10(ACGN.3)C0**
Wi-Fi extender WX3100-T0 5.50(ABVL.4.2)C0 and earlier 5.50(ABVL.4.3)C0*
WX3401-B0 5.17(ABVE.2.4)C0 and earlier 5.17(ABVE.2.5)C0*
WX5600-T0 5.70(ACEB.3)C0 and earlier 5.70(ACEB.3.2)C0*

*Please contact your Zyxel sales representative or support team for the file.

**Updated by cloud.

Please note that the table does NOT include project-based models for internet service providers (ISPs).

For ISPs, please contact your Zyxel sales or service representatives for further details.

For end-users who acquired your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.

For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel’s Community for further assistance.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to Dawid Kulikowski for reporting the issues to us.

Revision history

2024-9-24: Initial release.