Other official information and services: www.belgium.be

Warning - Remote root code execution vulnerabilities in Zyxel firewall/VPN appliances

Referentie:

Advisory #2023-63

Versie:

1.0

Geïmpacteerde software:

Zyxel firewall/VPN appliances:

ATP ZLD V4.32 to V5.36 Patch 1

USG flex ZLD V4.50 to V5.36 Patch 1

USG FLEX50(W) / USG20(W)-VPN ZLD V4.25 to V5.36 Patch 1

VPN ZLD V4.30 to V5.36 Patch 1

ZyWALL/USG ZLD V4.25 to V4.73 Patch 1

Type:

Denial of Service / Remote Code Execution (RCE)

CVE/CVSS:

CVE-2023-33009
CVE-2023-33010

Datum:

30/05/2023

Bronnen

Zyxel - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls

NVD - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33009

NVD - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33010

Risico’s

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to trigger DoS conditions and/or remote code execution on an affected device. Although no proof of concept (PoC) exploit is available yet, future exploitation is expected.

Beschrijving

CVE-2023-33009 concerns a buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CVE-2023-330010 concerns a buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device.

Based on their description both vulnerabilities are related to Internet Key Exchange (IKE). This protocol is used for VPN access via IPSec (udp/500) and by consequence these vulnerabilities concern an internet-facing service. No PoC is available but since hackers commonly target firewall/VPN appliances using recently patched vulnerabilities, future exploitation is expected.

Aanbevolen acties

Since it is not uncommon for hackers to target Zyxel devices using recently patched vulnerabilities, the Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.

Workaround

In case your company does not require VPN access via IPSec, please reduce your attack surface by disabling the VPN IPSec service if it is still available.

Patch

Zyxel provides patches for all mentioned appliances. Please upgrade to the vendor recommended version (or higher) after thorough testing and keep an eye out for future security bulletins.

Monitor/detect

The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Considered the current exploitation of the recently disclosed CVE-2023-28771 this is a likely scenario.

When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.

Referenties

CERT.be advisory - https://cert.be/en/warning-critical-vulnerability-zyxel-firewalls-poc-av...

Shadowserver warning - https://infosec.exchange/@shadowserver/110442626213838177