Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers
CVEs: CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, CVE-2023-34141
Summary
Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection.
What are the vulnerabilities?
CVE-2023-28767
The configuration parser fails to sanitize user-controlled input in some firewall versions. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.
CVE-2023-33011
A format string vulnerability in some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled.
CVE-2023-33012
A command injection vulnerability in the configuration parser of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.
CVE-2023-34138
A command injection vulnerability in the hotspot management feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance.
CVE-2023-34139
A command injection vulnerability in the Free Time WiFi hotspot feature of some firewall versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device.
CVE-2023-34140
A buffer overflow vulnerability in some firewall and WLAN controller versions could allow an unauthenticated, LAN-based attacker to cause denial of service (DoS) conditions by sending a crafted request to the CAPWAP daemon.
CVE-2023-34141
A command injection vulnerability in the access point (AP) management feature of some firewall and WLAN controller versions could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the managed AP list in advance.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.
Table 1. Firewalls affected by CVE-2023-28767, CVE-2023-33011, CVE-2023-33012, CVE-2023-34138, CVE-2023-34139, CVE-2023-34140, and CVE-2023-34141
| Firewall series | Affected version | Patch availability | ||||||
|---|---|---|---|---|---|---|---|---|
| CVE-2023-28767 | CVE-2023-33011 | CVE-2023-33012 | CVE-2023-34138 | CVE-2023-34139 | CVE-2023-34140 | CVE-2023-34141 | ||
| ATP | ZLD V5.10 to V5.36 | ZLD V5.10 to V5.36 Patch 2 | ZLD V5.10 to V5.36 Patch 2 | ZLD V4.60 to V5.36 Patch 2 | Not affected | ZLD V4.32 to V5.36 Patch 2 | ZLD V5.00 to V5.36 Patch 2 | ZLD V5.37 |
| USG FLEX | ZLD V5.00 to V5.36 | ZLD V5.00 to V5.36 Patch 2 | ZLD V5.00 to V5.36 Patch 2 | ZLD V4.60 to V5.36 Patch 2 | ZLD V4.50 to V5.36 Patch 2 | ZLD V4.50 to V5.36 Patch 2 | ZLD V5.00 to V5.36 Patch 2 | ZLD V5.37 |
| USG FLEX 50(W) / USG20(W)-VPN | ZLD V5.10 to V5.36 | ZLD V5.10 to V5.36 Patch 2 | ZLD V5.10 to V5.36 Patch 2 | ZLD V4.60 to V5.36 Patch 2 | Not affected | ZLD V4.16 to V5.36 Patch 2 | ZLD V5.00 to V5.36 Patch 2 | ZLD V5.37 |
| VPN | ZLD V5.00 to V5.36 | ZLD V5.00 to V5.36 Patch 2 | ZLD V5.00 to V5.36 Patch 2 | ZLD V4.60 to V5.36 Patch 2 | ZLD V4.20 to V5.36 Patch 2 | ZLD V4.30 to V5.36 Patch 2 | ZLD V5.00 to V5.36 Patch 2 | ZLD V5.37 |
Table 2. WLAN controllers affected by CVE-2023-34140 and CVE-2023-34141
| WLAN controller model | Affected version | Patch availability |
|---|---|---|
| NXC2500 | V6.10(AAIG.0) to V6.10(AAIG.3) | Hotfix by request* |
| NXC5500 | V6.10(AAOS.0) to V6.10(AAOS.4) | Hotfix by request* |
*Please reach out to your local Zyxel support team for the file.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security consultancies:
- atdog from TRAPA Security for CVE-2023-28767
- atdog and Lays from TRAPA Security for CVE-2023-33011 and CVE-2023-33012
- Lê Hữu Quang Linh from STAR Labs SG for CVE-2023-34138, CVE-2023-34139, and CVE-2023-34141
- Lê Hữu Quang Linh and Nguyễn Hoàng Thạch from STAR Labs SG for CVE-2023-34140
Revision history
2023-7-18: Initial release.