Zyxel Networks has recently issued a critical alert regarding several high-risk vulnerabilities affecting their firewall products. This warning comes as part of a broader security advisory that highlights multiple vulnerabilities in Zyxel firewalls, with a particular emphasis on those deemed high-risk.
For administrators and security professionals, swift action is crucial to safeguard their systems. The vulnerabilities in Zyxel Firewalls could expose networks to significant security risks. Zyxel’s security bulletin details several issues, the most concerning being a command injection vulnerability within the IPSec VPN feature.
This flaw, cataloged as CVE-2024-42057, allows attackers to inject malicious commands via manipulated usernames. If a device is configured with user-based PSK authentication and has a username longer than 28 characters, attackers could exploit this vulnerability to execute arbitrary commands on the system.
Understanding the Vulnerabilities in Zyxel Firewalls
In addition to CVE-2024-42057, the advisory highlights several other severe vulnerabilities in Zyxel firewalls. One such vulnerability, CVE-2024-42058, involves null pointer dereferencing. This flaw can be exploited by unauthenticated attackers who send specially crafted network packets, potentially causing a crash of the vulnerable Zyxel firewall.
The advisory also notes CVE-2024-42059 and CVE-2024-42060, which are post-authentication command injection vulnerabilities. After gaining admin-level access, attackers can exploit these flaws by uploading manipulated files via FTP or internal user agreements, allowing them to execute commands on the operating system.
Another issue is CVE-2024-7203, a post-authentication command injection vulnerability similar to the previously mentioned ones, but involving a different method of exploitation. Additionally, CVE-2024-42061 represents a reflected cross-site scripting (XSS) vulnerability found in the CGI program “dynamic_script.cgi.” This flaw can trick users into executing malicious scripts on their browsers.
Regarding the affected versions of Zyxel firewalls, several releases across the ATP, USG FLEX, and USG FLEX 50(W)/USG20(W) VPN series are vulnerable. Specifically, ATP series versions from ZLD V4.32 to V5.38 are affected, with the patch ZLD V5.39 available to address these issues. For the USG FLEX series, versions from ZLD V4.50 to V5.38 are impacted, and the ZLD V5.39 update provides the necessary fixes. Although most versions of the USG FLEX 50(W)/USG20(W) VPN from ZLD V4.16 to V5.38 are affected, these models are also covered by the ZLD V5.39 update.
Zyxel’s updates are designed to address these critical security flaws and ensure that affected devices are protected against potential threats. Administrators are advised to apply these patches promptly to protect their networks.
Detailed Breakdown of Zyxel Vulnerabilities
To provide a clearer picture, here’s a detailed breakdown of the vulnerabilities affecting Zyxel firewalls:
- CVE-2024-6343: A buffer overflow vulnerability in the CGI program of some firewall versions could lead to a denial of service (DoS) if an authenticated attacker sends a crafted HTTP request.
- CVE-2024-42057: Command injection through the IPSec VPN could enable unauthenticated attackers to execute OS commands, provided the firewall is configured with a long username in user-based PSK mode.
- CVE-2024-42058: Null pointer dereference vulnerabilities can cause a DoS when attacked with specific network packets.
- CVE-2024-42059: Command injection via FTP file upload allows attackers to execute commands on the OS with admin privileges.
- CVE-2024-42060: Similar to CVE-2024-42059 but involves uploading a crafted internal user agreement file.
- CVE-2024-42061: Reflected XSS vulnerability that could steal browser-based information if exploited.
To mitigate these risks, Zyxel strongly advises all users to update their firewalls to the latest firmware version, ZLD V5.39, available through the usual update channels. For more details, affected users should consult Zyxel’s support resources or reach out to their local service representatives.
The company acknowledges the contributions of security researchers Nanyu Zhong, Jinwei Dong, Alessandro Sgreccia, Manuel Roccon, and nella17 for their role in identifying these vulnerabilities.