Headline

CVE-2022-0910: Zyxel security advisory for multiple vulnerabilities of firewalls, AP controllers, and APs

A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

2 years ago

CVE

Open in Source

#xss #vulnerability #buffer_overflow #auth

CVEs: CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, CVE-2022-0910

Summary

Zyxel is aware of multiple vulnerabilities reported by security consultancies and advises users to install the applicable firmware updates for optimal protection.

What are the vulnerabilities?

CVE-2022-0734

A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.

CVE-2022-26531

Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.

CVE-2022-26532

A command injection vulnerability in the “packet-trace” CLI command of some firewall, AP controller, and AP versions could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.

CVE-2022-0910

An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the CVEs, as shown in the tables below.

Table 1. Firewalls affected by CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, and CVE-2022-0910

Firewall

Affected version

Patch availability

CVE-2022-0734

CVE-2022-26531

CVE-2022-26532

CVE-2022-0910

USG/ZyWALL

ZLD V4.35~V4.70

ZLD V4.09~V4.71

ZLD V4.32~V4.71

ZLD V4.72

USG FLEX

ZLD V4.50~V5.20

ZLD V4.50~V5.21

ZLD V5.30

ATP

ZLD V4.35~V5.20

ZLD V4.32~V5.21

ZLD V5.30

VPN

ZLD V4.35~V5.20

ZLD V4.30~V5.21

ZLD V4.32~V5.21

ZLD V5.30

NSG

Not affected

V1.00~V1.33 Patch 4

Not affected

V1.33 Patch 5

Table 2. AP controllers affected by CVE-2022-26531 and CVE-2022-26532

AP Controller

Affected version

Patch availability

CVE-2022-26531 and CVE-2022-26532

NXC2500

6.10(AAIG.3) and earlier

Hotfix by request*

NXC5500

6.10(AAOS.3) and earlier

Hotfix by request*

Table 3. APs affected by CVE-2022-26531 and CVE-2022-26532

Affected version

Patch availability

CVE-2022-26531 and CVE-2022-26532

NAP203

6.25(ABFA.7) and earlier

6.25(ABFA.8)

NAP303

6.25(ABEX.7) and earlier

6.25(ABEX.8)

NAP353

6.25(ABEY.7) and earlier

6.25(ABEY.8)

NWA50AX

6.25(ABYW.5) and earlier

6.25(ABYW.8)

NWA55AXE

6.25(ABZL.5) and earlier

6.25(ABZL.8)

NWA90AX

6.27(ACCV.2) and earlier

6.27(ACCV.3)

NWA110AX

6.30(ABTG.2) and earlier

6.30(ABTG.3)

NWA210AX

6.30(ABTD.2) and earlier

6.30(ABTD.3)

NWA1123-AC-HD

6.25(ABIN.6) and earlier

6.25(ABIN.8)

NWA1123-AC-PRO

6.25(ABHD.7) and earlier

6.25(ABHD.8)

NWA1123ACv3

6.30(ABVT.2) and earlier

6.30(ABVT.3)

NWA1302-AC

6.25(ABKU.6) and earlier

6.25(ABKU.8)

NWA5123-AC-HD

6.25(ABIM.6) and earlier

6.25(ABIM.8)

WAC500H

6.30(ABWA.2) and earlier

6.30(ABWA.3)

WAC500

6.30(ABVS.2) and earlier

6.30(ABVS.3)

WAC5302D-S

6.10(ABFH.10) and earlier

Hotfix by request*

WAC5302D-Sv2

6.25(ABVZ.6) and earlier

6.25(ABVZ.8)

WAC6103D-I

6.25(AAXH.7) and earlier

6.25(AAXH.8)

WAC6303D-S

6.25(ABGL.6) and earlier

6.25(ABGL.8)

WAC6502D-E

6.25(AASD.7) and earlier

6.25(AASD.8)

WAC6502D-S

6.25(AASE.7) and earlier

6.25(AASE.8)

WAC6503D-S

6.25(AASF.7) and earlier

6.25(AASF.8)

WAC6553D-E

6.25(AASG.7) and earlier

6.25(AASG.8)

WAC6552D-S

6.25(ABIO.7) and earlier

6.25(ABIO.8)

WAX510D

6.30(ABTF.2) and earlier

6.30(ABTF.3)

WAX610D

6.30(ABTE.2) and earlier

6.30(ABTE.3)

WAX630S

6.30(ABZD.2) and earlier

6.30(ABZD.3)

WAX650S

6.30(ABRM.2) and earlier

6.30(ABRM.3)

*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgment

Thanks to the following security consultancies for reporting the issues to us:

Riccardo Krauter at Soter IT Security for CVE-2022-0734
HN Security for CVE-2022-26531 and CVE-2022-26532
Ascend PC for CVE-2022-0910

Revision history

2022-05-24: Initial release

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

2 years ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #dos #git #c++#buffer_overflow #acer #auth #ssh #telnet

Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller and Firewall Devices

Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. The list of security vulnerabilities is as follows - CVE-2022-0734 - A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's

2 years ago

The Hacker News

Open in Source

#xss #vulnerability #auth #The Hacker News