Zyxel: Several high-risk vulnerabilities in firewalls
Zyxel warns of several security vulnerabilities in the company's firewalls. Updates are available to seal the leaks.
Manufacturer Zyxel is currently warning of several security vulnerabilities in its firewalls. The company classifies the majority as high risk. Updated software should iron out the security-relevant errors. Admins should quickly update the firewalls to the secure version.
Zyxel lists the vulnerabilities in a security bulletin. The most serious is a gap that allows attackers to inject commands into the IPSec VPN of Zyxel firewalls. With manipulated usernames, they can smuggle commands that are executed by the operating system. To achieve this, however, a device must be configured with user-based PSK authentication and a long username with more than 28 characters must exist in the system (CVE-2024-42057).
Multiple vulnerabilities in Zyxel firewalls
Null pointer dereferencing can be abused by unauthenticated malicious actors to paralyze a vulnerable Zyxel firewall with specially crafted network packets (CVE-2024-42058). Several other vulnerabilities also allow attackers to inject commands after authentication that are executed with admin rights in the operating system.
The Zyxel security announcement lists the affected firewall versions. These are numerous versions of Zyxel ATP, USG FLEX and USG FLEX 50(W)/USG20(W) VPN. The firmware version ZLD V5.39 is available for download for the devices, which fixes the vulnerabilities. Zyxel firewall administrators can obtain it via the channels known to them.
The vulnerabilities in detail, sorted by severity:
- Command Injection Vulnerability in IPSec VPN (CVE-2024-42057, CVSS 8.1, risk"high")
- Null Pointer Dereference Vulnerability (CVE-2024-42058, CVSS 7.5, high)
- Post-authentication Command Injection Vulnerability (CVE-2024-42059, CVSS 7.2, high)
- Post-authentication Command Injection Vulnerability (CVE-2024-42060, CVSS 7.2, high)
- Post-authentication Command Injection Vulnerability (CVE-2024-7203, CVSS 7.2, high)
- Reflected Cross-Site Scripting (XSS) Vulnerability in CGI Program (CVE-2024-42061, CVSS 6.1, medium)
- Buffer Overflow Vulnerability in CGI Program (CVE-2024-6343, CVSS 4.9, medium)
Last year, criminals set up a botnet of vulnerable Zyxel firewalls. The attackers used a vulnerability in the VPN service of the firewalls as a gateway. Zyxel vulnerabilities are obviously an interesting target for cyber criminals, which is why IT managers should apply the updates quickly.
(dmk)