Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and Wi-Fi extenders
CVEs: CVE-2022-43389, CVE-2022-43390, CVE-2022-43391, CVE-2022-43392
Summary
Zyxel is aware of multiple vulnerabilities reported by Positive Technologies and advises customers to install the applicable firmware updates for optimal protection.
What are the vulnerabilities?
A buffer overflow vulnerability in the library of the web server in some 5G NR/4G LTE CPE devices, which could allow a remote unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device. Note that the WAN access is disabled by default on most devices.
A command injection vulnerability in the CGI program of some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices, which could allow a remote authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request. Note that the WAN access is disabled by default on most devices.
A buffer overflow vulnerability in the parameter of the CGI program in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices, which could allow a remote authenticated attacker to cause DoS conditions by sending a crafted HTTP request. Note that the WAN access is disabled by default on most devices.
A buffer overflow vulnerability in the parameter of web server in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices, which could allow a remote authenticated attacker to cause DoS conditions by sending a crafted authorization request. Note that the WAN access is disabled by default on most devices.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.
Models affected by CVE-2022-43389 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Models affected by CVE-2022-43390 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Models affected by CVE-2022-43391 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Models affected by CVE-2022-43392 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Please note that the table does NOT include customized models for internet service providers (ISPs).
Got a question?
If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
Acknowledgment
Thanks to Nikita Abramov from Positive Technologies for reporting the issues to us.
Revision history
2023-1-11: Initial release