Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions

CVEs: CVE-2024-38266, CVE-2024-38267, CVE-2024-38268, CVE-2024-38269

Summary

Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection.

 

What are the vulnerabilities?

CVE-2024-38266

An improper restriction of operations within the bounds of a memory buffer in the parameter type parser of some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-38267

An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-38268

An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-38269

An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

 

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products within their vulnerability support period and released firmware patches to address the vulnerabilities, as shown in the table below. Note that if an on-market product is not listed in the table, it is NOT affected.

ProductAffected modelAffected versionPatch availability
DSL/Ethernet CPEDX3300-T05.50(ABVY.5)C0 and earlier5.50(ABVY.5.3)C0*
DX3300-T15.50(ABVY.5)C0 and earlier5.50(ABVY.5.3)C0*
DX3301-T05.50(ABVY.5)C0 and earlier5.50(ABVY.5.3)C0*
DX4510-B05.17(ABYL.6)C0 and earlier5.17(ABYL.7)C0*
DX4510-B15.17(ABYL.6)C0 and earlier5.17(ABYL.7)C0*
DX5401-B05.17(ABYO.6)C0 and earlier5.17(ABYO.6.2)C0*
DX5401-B15.17(ABYO.6)C0 and earlier5.17(ABYO.6.2)C0*
EX3300-T05.50(ABVY.5)C0 and earlier5.50(ABVY.5.3)C0*
EX3300-T15.50(ABVY.5)C0 and earlier5.50(ABVY.5.3)C0*
EX3301-T05.50(ABVY.5)C0 and earlier5.50(ABVY.5.3)C0*
EX3500-T05.44(ACHR.1)C0 and earlier5.44(ACHR.2)C0*
EX3501-T05.44(ACHR.1)C0 and earlier5.44(ACHR.2)C0*
EX3510-B05.17(ABUP.11)C0 and earlier5.17(ABUP.12)C0*
EX3510-B15.17(ABUP.11)C0 and earlier5.17(ABUP.12)C0*
EX3600-T05.70(ACIF.0.2)C0 and earlier5.70(ACIF.0.3)C0*
EX5401-B05.17(ABYO.6)C0 and earlier5.17(ABYO.6.2)C0*
EX5401-B15.17(ABYO.6)C0 and earlier5.17(ABYO.6.2)C0*
EX5510-B05.17(ABQX.9)C0 and earlier5.17(ABQX.10)C0*
EX5512-T05.70(ACEG.3)C1 and earlier5.70(ACEG.3)C2*
EX5601-T05.70(ACDZ.3)C0 and earlier5.70(ACDZ.3.2)C0*
EX5601-T15.70(ACDZ.3)C0 and earlier5.70(ACDZ.3.2)C0*
EX7501-B05.18(ACHN.1)C0 and earlier5.18(ACHN.1.2)C0*
EX7710-B05.18(ACAK.1)C0 and earlier5.18(ACAK.1)C1*
EMG3525-T50B5.50(ABPM.9)C0 and earlier5.50(ABPM.9.2)C0*
EMG5523-T50B5.50(ABPM.9)C0 and earlier5.50(ABPM.9.2)C0*
EMG5723-T50K5.50(ABOM.8)C0 and earlier5.50(ABOM.8.4)C0*
VMG3625-T50B5.50(ABPM.9)C0 and earlier5.50(ABPM.9.2)C0*
VMG3927-T50K5.50(ABOM.8)C0 and earlier5.50(ABOM.8.4)C0*
VMG4005-B50A5.17(ABQA.2)C0 and earlier5.17(ABQA.2.2)C0*
VMG4005-B60A5.17(ABQA.2)C0 and earlier5.17(ABQA.2.2)C0*
VMG8623-T50B5.50(ABPM.9)C0 and earlier5.50(ABPM.9.2)C0*
VMG8825-T50K5.50(ABOM.8)C0 and earlier5.50(ABOM.8.4)C0*
Customized: 5.50(ABPY.1)b24 and earlierCustomized: 5.50(ABPY.1)b25*
Fiber ONTAX7501-B05.17(ABPC.5)C0 and earlier5.17(ABPC.5.2)C0*
AX7501-B15.17(ABPC.5)C0 and earlier5.17(ABPC.5.2)C0*
PM3100-T05.42(ACBF.2)C0 and earlier5.42(ACBF.2.1)C0*
PM5100-T05.42(ACBF.2)C0 and earlier5.42(ACBF.2.1)C0*
PM7300-T05.42(ABYY.2.1)C0 and earlier5.42(ABYY.2.2)C0*
PX3321-T15.44(ACJB.0)C0 and earlier5.44(ACJB.1)C0*
Wi-Fi extenderWX3100-T05.50(ABVL.4.2)C0 and earlier5.50(ABVL.4.3)C0*
WX3401-B05.17(ABVE.2.4)C0 and earlier5.17(ABVE.2.5)C0*
WX5600-T05.70(ACEB.3)C0 and earlier5.70(ACEB.3.2)C0*

* Please contact your Zyxel sales representative or support team to obtain the file.

Please note that the table does NOT include customized models specifically designed for ISP customers.

 

Got a question?

For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.

 

Acknowledgment

Thanks to Dawid Kulikowski for reporting the issue to us.

 

Revision history

2024-9-24: Initial release