Zyxel Points Important Safety Patches for Firewall and VPN Merchandise

Might 25, 2023Ravie LakshmananCommunity Safety / Vulnerability

Zyxel has launched software program updates to deal with two important safety flaws affecting choose firewall and VPN merchandise that could possibly be abused by distant attackers to attain code execution.

Each the issues – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system.

A quick description of the 2 points is under –

• CVE-2023-33009 – A buffer overflow vulnerability within the notification perform that might allow an unauthenticated attacker to trigger a denial-of-service (DoS) situation and distant code execution.
• CVE-2023-33010 – A buffer overflow vulnerability within the ID processing perform that might allow an unauthenticated attacker to trigger a denial-of-service (DoS) situation and distant code execution.

The next gadgets are impacted –

• ATP (variations ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX (variations ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX50(W) / USG20(W)-VPN (variations ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• VPN (variations ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
• ZyWALL/USG (variations ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)

Safety researchers from TRAPA Safety and STAR Labs SG have been credited with discovering and reporting the issues.

The advisory comes lower than a month after Zyxel shipped fixes for an additional important safety flaw in its firewall gadgets that could possibly be exploited to attain distant code execution on affected techniques.

The problem, tracked as CVE-2023-28771 (CVSS rating: 9.8), was additionally credited to TRAPA Safety, with the networking tools maker blaming it on improper error message dealing with. It has since come beneath energetic exploitation by risk actors related to the Mirai botnet.