Cyber Security Threat Summary:
Rapid7 researchers have issued a warning regarding a recently patched command injection vulnerability (CVE-2023-28771) in various Zyxel firewalls. They have published a technical analysis and a Proof of Concept (PoC) script that demonstrates the vulnerability, enabling the attacker to gain a reverse root shell. The affected devices include Zyxel APT, USG FLEX, and VPN firewalls running ZDL firmware versions v4.60 to v5.35, as well as Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73. These firewall devices perform network traffic monitoring and control, possess VPN and SSL inspection capabilities, and provide additional protection against malware and other threats. The vulnerability stems from mishandling of error messages and can be triggered by sending a specially crafted UDP packet to port 500 on the vulnerable devices' WAN interface. Exploiting this vulnerability allows attackers to execute OS commands with root user privileges.

Security Officer Comments:
According to Rapid7 researchers, the Internet Key Exchange (IKE) packet decoder, a component of the IPSec VPN service provided by the device, is the vulnerable element. They highlighted that the device does not require VPN configuration to be at risk. The vulnerability is easily exploitable and does not depend on prior authentication. As of May 19, 2023, there have been no reported instances of CVE-2023-28771 being exploited in the wild, but the researchers anticipate this to change. Approximately 42,000 instances of Zyxel web interfaces are publicly accessible. However, this number does not account for vulnerable VPN implementations, suggesting that the actual level of exposure is likely higher.

Suggested Correction(s):
To mitigate the risk, administrators of affected devices are strongly advised to promptly update to the latest firmware version. It is also generally recommended to enable automatic firmware updates to ensure timely protection against future vulnerabilities.

Link(s):
https://www.helpnetsecurity.com/2023/05/22/cve-2023-28771/