Zyxel Warns Firewall Users of Authentication Bypass Vulnerability

The Taiwanese-based technology giant Zyxel has warned users of an authentication bypass vulnerability in its Firewall. Users should update their products to the latest firmware updates at the earliest to receive the patches.

Zyxel Firewall Vulnerabilities

Sharing the details in an advisory, Zyxel elaborated on how an authentication bypass vulnerability compromised the security of its Firewall products.

Tracked as CVE-2022-0342, the vulnerability existed due to poor access control mechanism in the CGI program. As described,

“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

This vulnerability first caught the attention of external researchers who then reported the matter to Zyxel. The tech firm has acknowledged Alessandro Sgreccia from Tecnical Service Srl, and Roberto Garcia H and Victor Garcia R from Innotec Security, for discovering this bug.

Following the reports, Zyxel officials started working on a fix which they subsequently released with the following software updates.

As mentioned, the affected products and their firmware versions include,

  • USG/ZyWALL (firmware version ZLD V4.20 through ZLD V4.70)
  • USG FLEX (firmware version ZLD V4.50 through ZLD V5.20)
  • ATP (firmware version ZLD V4.32 through ZLD V5.20)
  • VPN (firmware version ZLD V4.30 through ZLD V5.20)
  • NSG (firmware version V1.20 through V1.33 Patch 4)

Consequently, the firm released the following firmware updates with the patch.

  • USG/ZyWALL (ZLD V4.71)
  • USG FLEX (ZLD V5.21 Patch 1)
  • ATP (ZLD V5.21 Patch 1)
  • VPN (ZLD V5.21)

Besides, for NSG users, the vendors have released a hotfix (V1.33p4_WK11) for now. The firm has pledged to roll out the Standard patch V1.33 Patch 5 in May 2022.

Since the vulnerability fixes have been released, all Zyxel customers using the affected devices should ensure receiving the updates.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients