Major firewall maker alerts customers to vulnerabilities

CISA warns of active attacks

Taiwan's Zyxel is alerting customers about multiple buffer overflow vulnerabilities found in its firewall and VPN devices.

The warning follows reports of widespread exploitation of a critical-severity command injection flaw, tracked as CVE-2023-28771, present in Zyxel's networking devices.

Zyxel is also highlighting two other vulnerabilities, CVE-2023-33009 and CVE-2023-33010, which have attackers can exploit to compromise vulnerable networks and execute malicious code.

According to BleepingComputer, botnets are actively exploiting CVE-2023-28771 for remote command execution attacks, using malicious packets to infect devices.

The vulnerability stems from improper error message handling in the affected firewall or VPN device's default configuration. Exploiting the flaw involves using a specifically crafted IKEv2 packet sent to UDP port 500 on the device.

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting CVE-2023-28771.

Buffer overflow flaws

The second and third vulnerabilities, CVE-2023-33009 and CVE-2023-33010, both relate to buffer overflow issues in Zyxel's ATP series firmware.

CVE-2023-33009 is related to a flaw in the notification function.

An unauthenticated attacker could exploit the vulnerability to launch a denial-of-service (DoS) attack against susceptible appliances. It could also enable remote code execution.

CVE-2023-33010 references a buffer overflow vulnerability in the ID processing function.

LIke CVE-2023-33009, this flaw could enable an unauthenticated attacker to trigger DoS conditions or achieve remote code execution on a compromised device.

"Zyxel recently became aware of a cyberattack targeting our ZyWALL devices. These vulnerabilities already have patches - we took immediate action as soon as we become aware of them, and have released patches, as well as security advisories for CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010," Zyxel said.

"Zyxel has been urging users to install the patches through multiple channels, including issuing several security advisory newsletters to registered users and advisory subscribers; notifying users to upgrade via the Web GUI's push notification for on-premises devices; and enforcing scheduled firmware upgrades for cloud-based devices that haven't yet done so."

The following products are affected by these vulnerabilities:

• ATP
• USG FLEX
• USG FLEX50(W) / USG20(W)-VPN
• VPN
• ZyWALL/USG

Zyxel says compromised devices experience unresponsiveness, rendering their Web GUI or SSH management panel inaccessible. Symptoms of attacks also include frequent network interruptions and unstable VPN connections.

To address these vulnerabilities, Zyxel recommends applying the available security updates.

For ATP-ZLD, USG FLEX and VPN-ZLD devices, users should install ZLD V5.36 Patch 2. For ZyWALL devices, the recommended update is ZLD V4.73 Patch 2.

If updating the devices is not currently possible, system administrators are advised to implement specific mitigation measures.

One effective measure is to disable HTTP/HTTPS services from the WAN. This makes vulnerable endpoints inaccessible to remote attackers.

If administrators require the ability to manage devices over the WAN, an alternative approach is to enable policy control and configure rules that permit access only from trusted IP addresses.

In April, Zyxel released patches to fix another critical vulnerability that enabled attackers to get admin-level access to a wide range of firewalls and VPN products sold by the company.

The flaw, CVE-2022-0342, affected the company's USG Flex, USG/Zy Wall, ATP VPN and NSG (Nebula Security Gateway) range of enterprise VPN and firewall devices.