Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28770: Zyxel security advisory for multiple vulnerabilities | Zyxel Networks

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

CVE
#xss#vulnerability#web#buffer_overflow#auth

Summary

Zyxel is aware of multiple vulnerabilities reported by our security consultancy partner, SEC Consult, and advises users to install the applicable firmware updates for optimal protection.

What are the vulnerabilities?

There are eight vulnerabilities, identified as follows.

  1. Multiple buffer overflow vulnerabilities were discovered in the web server of the affected devices.
  2. The CGI program lacks a proper permission control mechanism, which could allow an attacker to read sensitive files on the devices.
  3. Insufficiently protected credentials in the configuration file of the devices could allow an attacker to retrieve the passwords.
  4. Command injection vulnerabilities were found in the diagnostic tool and the certificate upload interface of the devices.
  5. Access control vulnerabilities in the devices could allow a less privileged user to access functionality of a more privileged role.
  6. The improper symbolic links processing vulnerability in the FTP server could allow an attacker to get read access to the root file system.
  7. A security flaw was found in API of the devices that could be abused without authentication in order to obtain a new session key.
  8. A cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the devices.

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the link here. If a product is not listed, it is not affected or has reached end-of-life. We encourage users to install the applicable updates for optimal protection.

Please note that the table in the link provided does NOT include customized models for internet service providers (ISPs).

If you are an ISP, please contact your Zyxel sales or service representative for further details.

If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

If you are an end-user who purchased your Zyxel device yourself, please contact your local Zyxel support team or visit our forum for further assistance.

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgment

Thanks to SEC Consult for reporting the issues to us.

Revision history

2022-2-15: Initial release

Related news

Zyxel Chained Remote Code Execution

This Metasploit module exploits multiple vulnerabilities in the zhttpd binary (/bin/zhttpd) and zcmd binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json. With this information disclosure, the attacker can determine if the router is reachable via ssh and use the second vulnerability in the zcmd binary to derive the supervisor password exploiting a weak implementation of a password derivation algorithm using the device serial number. After exploitation, an attacker will be able to execute any command as user supervisor.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907