May 30, 2023

Zyxel Patches Critical Buffer-Overflow Vulnerabilities Affecting Firewall Devices

Zyxel has released a security advisory addressing two critical buffer-overflow vulnerabilities affecting firewall devices. The vulnerabilities are caused by buffer copy without checking size of input, which might result in remote code execution (RCE).

The Critical Vulnerabilities

• CVE-2023-33009 (CVSS:9.8 – critical) – An unauthenticated threat actor could exploit the vulnerability in the notification function in some firewall versions to create denial-of-service (DoS) conditions and even remote code execution (RCE) on an affected device.
• CVE-2023-33010 (CVSS:9.8 – critical) – An unauthenticated threat actor could exploit the vulnerability in the ID processing function in some firewall versions to create denial-of-service (DoS) conditions and even remote code execution (RCE) on an affected device.

Vulnerable Products

• ATP versions ZLD V4.32 to V5.36.
• USG FLEX versions ZLD V4.50 to V5.36.
• VPN versions ZLD V4.30 to V5.36.
• USG FLEX50(W) / USG20(W)-VPN ZLD V4.25 to V5.36.
• ZyWALL/USG versions ZLD V4.25 to V4.73.

Mitigation

CYREBRO recommends to update all affected products to the latest firmware versions.

References: Zyxel Advisory