Cyber Security Threat Summary:
Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771 (CVSS score 9.8), impacting Zyxel Firewall. “The vulnerability is an improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted packets to a vulnerable device and execute some OS commands remotely” (Security Affairs, 2023).

This critical vulnerability has been fixed, and Zyxel is urging customers to patch as soon as possible.

Security Officer Comments:
Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.” reads the advisory published by the vendor.

This was not the only vulnerability fixed as Zyxel also patched (CVE-2023-27991, CVSS score: 8.8), a high-severity post-authentication command injection issue affecting some specific firewall versions.

“The vulnerability resides in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35. The vulnerability can be exploited by a remote, authenticated attacker to execute some OS commands” (Security Affairs, 2023).

The last vulnerability addressed by the company is an XSS vulnerability, tracked as CVE-2023-27990, that affects some firewall versions. “The XSS vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device.” reads the advisory published by the vendor. “A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.”

Both CVE-2023-27990 and CVE-2023-27991 were reported by Alessandro Sgreccia from Tecnical Service SRL.

Suggested Corrections:
Users of these Zyxel firewall products should install patches as soon as possible. Threat actors are increasingly weaponizing recently released vulnerabilities, especially those impacting edge network devices. While we have not seen proof of concepts related to these vulnerabilities in the wild, they are expected, and will be quickly leveraged by cybercriminals.

Link:
https://www.zyxel.com
https://securityaffairs.com/145416/hacking/zyxel-firewall-cve-2023-28771-rce.html