Zyxel security advisory for multiple vulnerabilities

CVE: CVE-2023-28769, CVE-2023-28770, CVE-2022-45440


Summary

Zyxel is aware of multiple vulnerabilities reported by our security consultancy partner, SEC Consult, and advises users to install the applicable firmware updates for optimal protection.

 

What are the vulnerabilities?

There are eight vulnerabilities, identified as follows.

  1. Multiple buffer overflow vulnerabilities were discovered in the web server of the affected devices. (CVE-2023-28769)
  2. The CGI program lacks a proper permission control mechanism, which could allow an attacker to read sensitive files on the devices. (CVE-2023-28770)
  3. Insufficiently protected credentials in the configuration file of the devices could allow an attacker to retrieve the passwords. (CVE-2023-28770)
  4. Command injection vulnerabilities were found in the diagnostic tool and the certificate upload interface of the devices.
  5. Access control vulnerabilities in the devices could allow a less privileged user to access functionality of a more privileged role.
  6. The improper symbolic links processing vulnerability in the FTP server could allow an attacker to get read access to the root file system. (CVE-2022-45440)
  7. A security flaw was found in API of the devices that could be abused without authentication in order to obtain a new session key.
  8. A cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the devices.
 

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the link here. If a product is not listed, it is not affected or has reached end-of-life. We encourage users to install the applicable updates for optimal protection.

Please note that the table in the link provided does NOT include customized models for internet service providers (ISPs).

If you are an ISP, please contact your Zyxel sales or service representative for further details.

If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

If you are an end-user who purchased your Zyxel device yourself, please contact your local Zyxel support team or visit our forum for further assistance.

 

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

 

Acknowledgment

Thanks to SEC Consult for reporting the issues to us.

 

Revision history

2022-2-15: Initial release
2023-4-28: Updated CVE IDs