Zyxel started the month by releasing numerous security fixes for flaws in its firewalls and router devices. The most critical security issue affected the routers, exploiting OS command injection.
Critical OS command injection affected Zyxel routers
According to his advisoryan OS command injection vulnerability affected several Zyxel routers. Identified as CVE-2024-7261the company described this vulnerability as a command injection flaw in some access point (AP) and security router versions.
Expanding on this vulnerability and the affected devices, the CVE list states:
The incorrect neutralization of special elements in the “host” parameter in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70 (ABVT.4) and earlier, WAC500 firmware version 6.70 (ABVS.4) and earlier, WAX655E firmware version 7.00 (ACDO.1 ) and previously, WBE530 firmware version 7.00 (ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00 (ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device to send.
This vulnerability received a critical severity rating and a CVSS score of 9.1. Zyxel has released its security solution with the latest firmware versions of AP and security router and mentions them in its advisory. Users should ensure that they update their devices accordingly to receive the patch.
Severe buffer overflow also fixed for several products
Another major fix for the vulnerability, released at the same time, addresses a very serious buffer overflow issue. This vulnerability, identified as CVE-2024-5412received a CVSS score of 7.5.
The flaw affected some 5G NR/4G LTE CPE, DSL/Ethernet CPE, Fiber ONT, WiFi extenders, and security router devices. This allowed an unauthenticated adversary to trigger a Denial of State on the target device by sending maliciously crafted HTTP requests.
Zyxel has shared a detailed list of affected products and their respective patched releases in its advisory.
Fixed multiple security flaws in Zyxel firewalls
In addition to the two security fixes described above, Zyxel also fixed seven other security flaws that affected multiple firewall versions. These vulnerabilities include,
- CVE-2024-6343 (medium; CVSS 4.9): A buffer overflow vulnerability in the CGI program that could allow an authenticated adversary with administrative privileges to trigger a Denial of Service.
- CVE-2024-7203 (high; CVSS 7.2): A post-authentication OS command injection that an adversary can perform via maliciously crafted CLI commands.
- CVE-2024-42057 (high; CVSS 8.1): An operating system command injection vulnerability that affects the IPSec VPN functionality of firewalls that allow attacks from an unauthenticated attacker.
- CVE-2024-42058 (high; CVSS 7.5): A null pointer dereference vulnerability that allowed DoS attacks from an unauthenticated adversary.
- CVE-2024-42059 (high; CVSS 7.2): Another post-authentication OS command vulnerability that an authenticated adversary could exploit by uploading a crafted compressed language file via FTP.
- CVE-2024-42060 (High; CVSS 7.2): An authenticated attacker could exploit this OS command injection vulnerability by uploading a crafted internal user agreement file to the target device.
- CVE-2024-42061 (medium; CVSS 6.1): a reflected cross-site scripting (XSS) in the CGI program
dynamic_script.cgiof firewalls.
The vulnerabilities affected several models of Zyxel ATP, USG FLEX and USG FLEX 50(W)/USG20(W)-VPN. Zyxel has patched all affected devices with the latest software versions and shared the details therein advisory. Users should ensure that their devices are patched with the latest versions to avoid potential threats.
Let us know your thoughts in the comments.
