Zyxel Points Important Safety Patches for Firewall and VPN Merchandise

Might 25, 2023Ravie LakshmananCommunity Safety / Vulnerability

Zyxel has launched software program updates to deal with two essential safety flaws affecting choose firewall and VPN merchandise that might be abused by distant attackers to realize code execution.

Each the issues – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system.

A short description of the 2 points is beneath –

• CVE-2023-33009 – A buffer overflow vulnerability within the notification perform that might allow an unauthenticated attacker to trigger a denial-of-service (DoS) situation and distant code execution.
• CVE-2023-33010 – A buffer overflow vulnerability within the ID processing perform that might allow an unauthenticated attacker to trigger a denial-of-service (DoS) situation and distant code execution.

The next gadgets are impacted –

• ATP (variations ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX (variations ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX50(W) / USG20(W)-VPN (variations ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• VPN (variations ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
• ZyWALL/USG (variations ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)

Safety researchers from TRAPA Safety and STAR Labs SG have been credited with discovering and reporting the issues.

The advisory comes lower than a month after Zyxel shipped fixes for an additional essential safety flaw in its firewall gadgets that might be exploited to realize distant code execution on affected techniques.

The difficulty, tracked as CVE-2023-28771 (CVSS rating: 9.8), was additionally credited to TRAPA Safety, with the networking gear maker blaming it on improper error message dealing with. It has since come underneath active exploitation by risk actors related to the Mirai botnet.