Headline
CVE-2023-5650: Zyxel security advisory for multiple vulnerabilities in firewalls and APs | Zyxel Networks
An improper privilege management vulnerability in the ZySH of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.
CVEs: CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960****Summary
Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection.
What are the vulnerabilities?
CVE-2023-35136
An improper input validation vulnerability in the “Quagga” package of some firewall versions could allow an authenticated local attacker to access configuration files on an affected device.
CVE-2023-35139
A cross-site scripting (XSS) vulnerability in the CGI program of some firewall versions could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.
CVE-2023-37925
An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access system files on an affected device.
CVE-2023-37926
A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.
CVE-2023-4397
A buffer overflow vulnerability in some firewall versions could allow an authenticated local attacker with administrator privileges to cause DoS conditions by executing the CLI command with crafted strings on an affected device.
CVE-2023-4398
An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of some firewall versions could allow a remote unauthenticated attacker to cause DoS conditions on an affected device by sending a crafted IKE packet.
CVE-2023-5650
An improper privilege management vulnerability in the ZySH of some firewall versions could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.
CVE-2023-5797
An improper privilege management vulnerability in the debug CLI command of some firewall and AP versions could allow an authenticated local attacker to access the administrator’s logs on an affected device.
CVE-2023-5960
An improper privilege management vulnerability in the hotspot feature of some firewall versions could allow an authenticated local attacker to access the system files on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.
Table 1. Firewalls affected by CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960
Firewall series
Affected version
Patch availability
CVE-2023-35136
CVE-2023-35139
CVE-2023-37925
CVE-2023-37926
CVE-2023-4397
CVE-2023-4398
CVE-2023-5650
CVE-2023-5797
CVE-2023-5960
ATP
ZLD V4.32 to V5.37
ZLD V5.10 to V5.37
ZLD V4.32 to V5.37
ZLD V4.32 to V5.37
ZLD V5.37
ZLD V4.32 to V5.37
ZLD V4.32 to V5.37
ZLD V4.32 to V5.37
Not affected
ZLD V5.37 Patch 1
USG FLEX
ZLD V4.50 to V5.37
ZLD V5.00 to V5.37
ZLD V4.50 to V5.37
ZLD V4.50 to V5.37
ZLD V5.37
ZLD V4.50 to V5.37
ZLD V4.50 to V5.37
ZLD V4.50 to V5.37
ZLD V4.50 to V5.37
ZLD V5.37 Patch 1
USG FLEX 50(W) / USG20(W)-VPN
ZLD V4.16 to V5.37
ZLD V5.10 to V5.37
ZLD V4.16 to V5.37
ZLD V4.16 to V5.37
ZLD V5.37
ZLD V4.16 to V5.37
ZLD V4.16 to V5.37
ZLD V4.16 to V5.37
Not affected
ZLD V5.37 Patch 1
VPN
ZLD V4.30 to V5.37
ZLD V5.00 to V5.37
ZLD V4.30 to V5.37
ZLD V4.30 to V5.37
Not affected
ZLD V4.30 to V5.37
ZLD V4.30 to V5.37
ZLD V4.30 to V5.37
ZLD V4.30 to V5.37
ZLD V5.37 Patch 1
Table 2. APs affected by CVE-2023-37925 and CVE-2023-5797
AP model
Affected version
Patch availability
NWA50AX
6.29(ABYW.2) and earlier
Hotfix by request*
Standard patch 6.80(ABYW.0) in July 2024
NWA50AX-PRO
6.65(ACGE.1) and earlier
Hotfix by request*
Standard patch 6.80(ACGE.0) in July 2024
NWA55AXE
6.29(ABZL.2) and earlier
Hotfix by request*
Standard patch 6.80(ABZL.0) in July 2024
NWA90AX
6.29(ACCV.2) and earlier
Hotfix by request*
Standard patch 6.80(ACCV.0) in July 2024
NWA90AX-PRO
6.65(ACGF.1) and earlier
Hotfix by request*
Standard patch 6.80(ACGF.0) in July 2024
NWA110AX
6.65(ABTG.1) and earlier
Hotfix by request*
Standard patch 6.70(ABTG.0) in January 2024
NWA210AX
6.65(ABTD.1) and earlier
Hotfix by request*
Standard patch 6.70(ABTD.0) in January 2024
NWA220AX-6E
6.65(ACCO.1) and earlier
Hotfix by request*
Standard patch 6.70(ACCO.0) in January 2024
NWA1123ACv3
6.65(ABVT.1) and earlier
Hotfix by request*
Standard patch 6.70(ABVT.0) in January 2024
WAC500
6.65(ABVS.1) and earlier
Hotfix by request*
Standard patch 6.70(ABVS.0) in January 2024
WAC500H
6.65(ABWA.1) and earlier
Hotfix by request*
Standard patch 6.70(ABWA.0) in January 2024
WAX300H
6.60(ACHF.1) and earlier
Hotfix by request*
Standard patch 6.70(ACHF.0) in January 2024
WAX510D
6.65(ABTF.1) and earlier
Hotfix by request*
Standard patch 6.70(ABTF.0) in January 2024
WAX610D
6.65(ABTE.1) and earlier
Hotfix by request*
Standard patch 6.70(ABTE.0) in January 2024
WAX620D-6E
6.65(ACCN.1) and earlier
Hotfix by request*
Standard patch 6.70(ACCN.0) in January 2024
WAX630S
6.65(ABZD.1) and earlier
Hotfix by request*
Standard patch 6.70(ABZD.0) in January 2024
WAX640S-6E
6.65(ACCM.1) and earlier
Hotfix by request*
Standard patch 6.70(ACCM.0) in January 2024
WAX650S
6.65(ABRM.1) and earlier
Hotfix by request*
Standard patch 6.70(ABRM.0) in January 2024
WAX655E
6.65(ACDO.1) and earlier
Hotfix by request*
Standard patch 6.70(ACDO.0) in January 2024
WBE660S
6.65(ACGG.1) and earlier
Hotfix by request*
Standard patch 6.70(ACGG.0) in January 2024
*Please reach out to your local Zyxel support team for the file.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers and consultancies:
- Lê Hữu Quang Linh from STAR Labs SG for CVE-2023-35136
- Christopher Leech for CVE-2023-35139
- Alessandro Sgreccia from HackerHood for CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-5650, CVE-2023-5797, and CVE-2023-5960
- Lays and atdog from TRAPA Security for CVE-2023-4398
Revision history
2023-11-28: Initial release.
Related news
An improper input validation vulnerability in the “Quagga” package of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to access configuration files on an affected device.