Zyxel firewall and VPN products have been found to contain two critical severity buffer overflow vulnerabilities that could be exploited by unauthenticated attackers. The affected products include ATP, USG FLEX, USG FLEX50(W) and USG20(W)-VPN, VPN, and ZyWall/USG. Zyxel have released a security advisory to inform users of these products about these vulnerabilities, and which patch levels contain the new fix.
The first vulnerability patched tracked as CVE-2023-33009 has been assigned a critical severity rating and a CVSS base score of 9.8. This buffer overflow vulnerability occurs within the notification function of the affected products where more data is attempted to be input into the buffer than it can hold. An unauthenticated attacker can exploit this flaw to cause denial of service to the vulnerable product and perform remote code execution on the affected device.
The second vulnerability fixed in this update is tracked as CVE-2023-33010. This is also a buffer overflow flaw, with a critical severity rating and a CVSS base score of 9.8. This flaw is found within the ID processing function of the affected products and can also be exploited by an unauthenticated attacker. A successful exploit of this flaw would also result in denial of service conditions on the vulnerable products, and can allow for remote code execution on the affected device.
For users of the ATP, USG FLEX, USG FLEX50(W) and USG20(W)-VPN, and VPN firewall products, the patch is available through ZLD V5.36 Patch 2. If users are currently running ZLD V5.36 Patch 1 or before for these products they are likely to be vulnerable to these flaws and should apply the most recent update as soon as possible. For users of the ZyWall/USG series, affected versions include ZLD V4.25 to V4.73 Patch 1, so users need to update to at least ZLD V4.73 Patch 2 to ensure they have applied the proper fixes for these flaws.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)