Advisories address vulnerabilities in Zyxel firewalls, APs, extenders, and security router devices

Threat ID:CC-4541

Threat Severity:Medium

Published:4 September 2024 3:47 PM

Summary

Affected platforms

The following platforms are known to be affected:

Zyxel ATP

Zyxel Unified Security Gateway (USG) FLEX

USG FLEX

USG FLEX 50(W)/USG20(W)-VPN

Zyxel Access Points (AP) and Security Routers

NWA50AX

NWA50AX PRO

NWA55AXE

NWA90AX

NWA90AX PRO

NWA110AX

NWA130BE

NWA210AX

NWA220AX-6E

NWA1123-AC PRO

NWA1123ACv3

WAC500

WAC500H

WAC6103D-I

WAC6502D-S

WAC6503D-S

WAC6552D-S

WAC6553D-E

WAX300H

WAX510D

WAX610D

WAX620D-6E

WAX630S

WAX640S-6E

WAX650S

WAX655E

WBE530

WBE660S

USG LITE 60AX

Zyxel 4G LTE Router

Nebula LTE3301-PLUS

Zyxel 5G NR

NR5103

NR5103Ev2

NR5307

NR7103

NR7302

NR7303

NR7501

Nebula FWA510

Nebula FWA710

Nebula FWA505

Zyxel Digital Subscriber Line (DSL) Customer premises equipment (CPE)DSL/Ethernet CPE devices as follows:

DX3300-T0

DX3300-T1

DX3301-T0

DX4510-B0

DX5401-B0

DX5401-B1

EX3300-T0

EX3300-T1

EX3301-T0

EX3500-T0

EX3501-T0

EX3510-B0

EX5401-B0

EX5401-B1

EX5510-B0

EX5512-T0

EX5601-T0

EX5601-T1

EX7501-B0

EX7710-B0

EMG3525-T50B

EMG5523-T50B

EMG5723-T50K

VMG3625-T50B

VMG3927-T50K

VMG4005-B50A

VMG4005-B60A

VMG8623-T50B

VMG8825-T50K

The following platforms are also known to be affected:

Fiber ONT (optical network terminal)

AX7501-B0

AX7501-B1

PM3100-T0

PM5100-T0

PM7300-T0

PX3321-T1

Security router

SCR50AXE

Wi-Fi extender

WX3100-T0

WX3401-B0

WX5600-T0

Threat details

Introduction

Zyxel has released 3 security advisories to address vulnerabilities in Zyxel firewalls, Access Points (APs), extenders, and security router devices.

In the first security advisory, Zyxel describes seven vulnerabilities found in their ATP and USG FLEX firewall product lines. Two vulnerabilities could allow an attacker to create a denial-of-service (DoS) condition, four vulnerabilities could allow an attacker to execute some operating system (OS) commands on an affected device, and one could allow an attacker to gain browser-based information.

In the second advisory, Zyxel describes one vulnerability known as CVE-2024-7261, which affects APs and security router devices. CVE-2024-7261 is a command injection vulnerability that could allow an unauthenticated attacker to execute OS commands on an affected device.

A buffer overflow vulnerability is addressed in the third advisory, which affects 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices. An unauthenticated attacker could exploit CVE-2024-5412 to cause a DoS condition.

Remediation advice

Affected organisations are encouraged to review Zyxel's security advisories and apply the relevant updates.

Remediation steps


Patch	Zyxel security advisory for multiple vulnerabilities in firewalls ATP USG FLEX USG FLEX 50(W)/USG20(W)-VPN https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024
Patch	Zyxel security advisory for OS command injection vulnerability in APs and security router devices Affects models from "Zyxel Access Point (AP) and Security Routers" listed under "Affected platforms" https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024
Patch	Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices 5G NR/4G LTE CPE DSL/Ethernet CPE Fiber ONT Security router Wi-Fi extender https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerability-in-some-5g-nr-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-security-router-devices-09-03-2024

Patch

Zyxel security advisory for multiple vulnerabilities in firewalls

USG FLEX

USG FLEX 50(W)/USG20(W)-VPN

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

Patch

Zyxel security advisory for OS command injection vulnerability in APs and security router devices

Affects models from "Zyxel Access Point (AP) and Security Routers" listed under "Affected platforms"

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024

Patch

Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices

5G NR/4G LTE CPE

DSL/Ethernet CPE

Fiber ONT

Security router

Wi-Fi extender

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerability-in-some-5g-nr-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-security-router-devices-09-03-2024

Definitive source of threat updates

https://www.zyxel.com/global/en/support/security-advisories

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerability-in-some-5g-nr-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-security-router-devices-09-03-2024

CVE Vulnerabilities

StatusPublished

CVE-2024-7261The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

StatusPublished

CVE-2024-5412A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware version 5.50(ABOM.8)C0 could allow an unauthenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

StatusPublished

CVE-2024-6343A buffer overflow vulnerability in the CGI program of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

StatusPublished

CVE-2024-7203A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

StatusPublished

CVE-2024-42057A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

StatusPublished

CVE-2024-42058A null pointer dereference vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V5.20 through V5.38, and USG20(W)-VPN series firmware versions from V5.20 through V5.38 could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.

StatusPublished

CVE-2024-42059A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V5.00 through V5.38, USG FLEX series firmware versions from V5.00 through V5.38, USG FLEX 50(W) series firmware versions from V5.00 through V5.38, and USG20(W)-VPN series firmware versions from V5.00 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

StatusPublished

CVE-2024-42060A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.

StatusPublished

CVE-2024-42061A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

Last edited: 4 September 2024 3:47 pm