Zyxel began the month by releasing numerous security fixes for flaws in its firewalls and router devices. The most critical security vulnerability affected its routers, exploiting which could allow OS command injection.
Critical OS Command Injection Impacted Zyxel Routers
According to its advisory, an OS command injection vulnerability affected different Zyxel routers. Identified as CVE-2024-7261, the firm described this vulnerability as an OS command injection flaw in some access points (AP) and security router versions.
Elaborating on this vulnerability and the affected devices, its CVE listing states,
The improper neutralization of special elements in the parameter “host” in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
This vulnerability received a critical severity rating and a CVSS score of 9.1. Zyxel released its security fix with the latest AP and security router firmware versions, mentioning them in its advisory. Users must ensure to update their devices accordingly to receive the patch.
Severe Buffer Overflow Also Patched For Different Products
Another important vulnerability fix, released simultaneously, addressed a high-severity buffer overflow issue. This vulnerability, identified as CVE-2024-5412, received a CVSS score of 7.5.
The flaw affected some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extenders, and security router devices. It allowed an unauthenticated adversary to trigger a denial of state on the target device by sending maliciously crafted HTTP requests.
Zyxel shared a detailed list of affected products and their respective patched releases in its advisory.
Multiple Securit Flaws Addressed Across Zyxel Firewalls
In addition to the two security fixes described above, Zyxel also patched seven other security flaws affecting multiple firewall versions. These vulnerabilities include,
- CVE-2024-6343 (medium; CVSS 4.9): a buffer overflow vulnerability in the CGI program that could let an authenticated adversary with admin privileges trigger a denial of service.
- CVE-2024-7203 (high; CVSS 7.2): a post-authentication OS command injection that an adversary could execute via maliciously crafted CLI commands.
- CVE-2024-42057 (high; CVSS 8.1): An OS command injection vulnerability impacting the IPSec VPN feature of firewalls allowing attacks from an unauthenticated attacker.
- CVE-2024-42058 (high; CVSS 7.5): a null pointer dereference vulnerability that allowed DoS attacks from an unauthenticated adversary.
- CVE-2024-42059 (high; CVSS 7.2): another post-authentication OS command injection vulnerability that an authenticated adversary could exploit by uploading a crafted compressed language file via FTP.
- CVE-2024-42060 (high; CVSS 7.2): An authenticated attacker could exploit this OS command injection vulnerability by uploading a crafted internal user agreement file to the target device.
- CVE-2024-42061 (medium; CVSS 6.1): a reflected cross-site scripting (XSS) in the CGI program
dynamic_script.cgiof firewalls.
The vulnerabilities affected different models of Zyxel ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN. Zyxel patched all the affected devices with the latest software releases, sharing the details in its advisory. Users must ensure that their devices are patched with the latest versions to prevent potential threats.
Let us know your thoughts in the comments.
