Zyxel Firewall Devices Security Flaws.
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.
The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system Very High. Researchers from TRAPA Security have been credited with reporting the flaw.
“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel said in an advisory on April 25, 2023
Products impacted by the flaw are –
- ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
- ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)
The most severe of the flaws is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.
Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit an authenticated attacker to execute some OS commands remotely.
Users are advised to install the patches for optimal protection.
Source: TheHackerNews