Widevine Trustlet versions 5.x suffer from a buffer overflow vulnerability in drm_save_keys at 0x6a18.

    1. INFORMATION--------------[+] CVE                : CVE-2022-48332[+] Title              : Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x6a18)[+] Vendor             : Google[+] Device             : Nexus 6[+] Affected component : Widevine[+] Publication date   : March 2023[+] Credits            : CyberIntel Team2. AFFECTED VERSIONS--------------------5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M), 5.1.1 (LYZ28N)3. DETAILS----------Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series. Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices. An attacker with high privileges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system. On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.The bug is present in Widevine’s drm_save_keys() command. This command closely resembles drm_verify_keys(), which has been featured in other blog entries (refer to CVE-2022-48333 and CVE-2022-48334).For more details and full proof of concept visit https://cyberintel.es/cve/CVE-2022-48332_Buffer_Overflow_in_Widevine_drm_save_keys_0x6a18/--Cyber Intel Team.Zero Lab - https://cyberintel.es/

Widevine Trustlet 5.x drm_save_keys Buffer Overflow

Widevine Trustlet versions 5.x suffer from a drm_save_keys related buffer overflow.

    1. INFORMATION--------------[+] CVE                : CVE-2022-48331[+] Title              : Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x69b0)[+] Vendor             : Google[+] Device             : Nexus 6[+] Affected component : Widevine[+] Publication date   : March 2023[+] Credits            : CyberIntel Team2. AFFECTED VERSIONS--------------------5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M) 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M), 5.1.1 (LYZ28N)3. DETAILS----------Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series. Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices. An attacker with high privileges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system. On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service. The bug is present in Widevine’s drm_save_keys() command. This command closely resembles drm_verify_keys(), which has been featured in other blog entries (refer to CVE-2022-48333 and CVE-2022-48334).For more details and full proof of concept visit https://cyberintel.es/cve/CVE-2022-48331_Buffer_Overflow_in_Widevine_drm_save_keys_0x69b0/--Cyber Intel Team.Zero Lab - https://cyberintel.es/

Widevine Trustlet versions 5.x suffer from a buffer overflow vulnerability in drm_save_keys at 0x69b0.

==========================================================================  
Ubuntu Security Notice USN-6118-1  
May 30, 2023

linux-oracle, linux-oracle-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems

Details:

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1101-oracle   5.4.0-1101.110  
   linux-image-oracle-lts-20.04    5.4.0.1101.94

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1101-oracle   5.4.0-1101.110~18.04.1  
   linux-image-oracle              5.4.0.1101.110~18.04.73

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6118-1  
   CVE-2022-3707, CVE-2023-0459, CVE-2023-1075, CVE-2023-1078,  
   CVE-2023-1118, CVE-2023-1513, CVE-2023-2162, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1101.110  
   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1101.110~18.04.1

Ubuntu Security Notice USN-6118-1

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.

**List for announcements regarding Qt releases and development** announce at qt-project.org  
_Mon May 22 12:00:36 CEST 2023_

*   Previous message (by thread): \[Announce\] Security advisory: Qt SVG
*   Next message (by thread): \[Announce\] Qt Design Studio 4.1.0 released
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

A recent buffer overflow issue in Qt SVG has been reported and has been assigned the CVE id CVE-2023-32763.

This effects all Qt versions up to and including Qt 5.15.14, Qt 6.0.0->6.2.8 and Qt 6.3.0->6.5.0

When a SVG file with an image inside it is rendered, a QTextLayout overflow can be triggered.

Solution: Apply the following patch or update to Qt 5.15.15, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/476125
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/476490 or https://download.qt.io/official\_releases/qt/6.5/CVE-2023-32763-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official\_releases/qt/6.2/CVE-2023-32763-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official\_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

*   Previous message (by thread): \[Announce\] Security advisory: Qt SVG
*   Next message (by thread): \[Announce\] Qt Design Studio 4.1.0 released
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the Announce mailing list

CVE-2023-32763: [Announce] Security advisory: Qt SVG

A vulnerability classified as critical was found in Tenda AC6 US_AC6V1.0BR_V15.03.05.19. Affected by this vulnerability is the function fromDhcpListClient. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230077 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Tenda AC6 Unauthorized stack overflow vulnerability

1.Affected version

US\_AC6V1.0BR\_V15.03.05.19

2.Firmware download address

资料下载\_腾达(Tenda)官方网站

3.Vulnerability details

The function "fromDhcpListClient" is vulnerable to a stack-based buffer overflow. When this function reads in a parameter supplied by the user, it passes the variable to the function without performing any length check, which means that the stack-based buffer could be overflowed. This vulnerability could allow an attacker to easily execute a denial-of-service attack or remote code execution with carefully crafted overflow data by accessing the page. To secure the system, input parameters should be strictly checked and filtered for length to prevent such vulnerabilities from occurring.

4.Recurring vulnerabilities and POC

Due to legal and policy restrictions, we cannot provide the attack exploit code for this vulnerability at the moment.

5.Author

田文奇

CVE-2023-2923: vul/1.md at main · GleamingEyes/vul

BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file

Skip to content

Open Issue created May 18, 2023 by **Huascar Tejeda@htejeda**

**Heap Buffer Overflow blf\_read\_apptextmessage Function**

**Description**

A heap buffer overflow vulnerability has been discovered in Wireshark's g_strndup function, which could potentially lead to remote code execution.

Tested on: Ubuntu 22.04.2 LTS

**Details**

The vulnerability lies within the blf_read_apptextmessage function (found in the blf.c file), which is used by the Wireshark BLF (Binary Logging Format) plugin. The Address Sanitizer (ASAN) and GDB backtrace revealed a heap-buffer-overflow when the g_strsplit_set function is called. This function splits the string on the specified delimiters and creates an array of tokens.

In the provided backtrace, g_strsplit_set is called with text and ";" as the input parameters. If this string is carefully crafted, it could lead to arbitrary code execution when the process attempts to read or write to a memory area it doesn't own, which is typical behavior for a heap-buffer-overflow vulnerability.

**Steps to reproduce:**

Open the trigger file using a Wireshark binary compiled with the **\-DENABLE\_ASAN** option:

    $ tshark -r trigger
    =================================================================
    ==147490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000311440 at pc 0x7ffff745be47 bp 0x7fffffffc730 sp 0x7fffffffbed8
    READ of size 17 at 0x602000311440 thread T0
        #0 0x7ffff745be46 in __interceptor_strncpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:484
        #1 0x7fffdfd3982b in g_strndup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7382b)
        #2 0x7fffdfd3daba in g_strsplit_set (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x77aba)
        #3 0x7fffdfa5933f in blf_read_apptextmessage /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1646
        #4 0x7fffdfa5933f in blf_read_block /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1820
        #5 0x7fffdfa5a79f in blf_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1846
        #6 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555
        #7 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534
        #8 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746
        #9 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260
        #10 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754)
    
    0x602000311440 is located 0 bytes to the right of 16-byte region [0x602000311430,0x602000311440)
    allocated by thread T0 here:
        #0 0x7ffff74b4a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
        #1 0x7fffdfa592c2 in blf_read_apptextmessage /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1637
        #2 0x7fffdfa592c2 in blf_read_block /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1820
        #3 0x7fffffffdd2f  ([stack]+0x1fd2f)
    ...
    ...

I'd also like to request a CVE ID for this vulnerability.

Please let me know if you need any additional information.

Regards,  
Huáscar

trigger ASAN.txt GDB\_Backtrace.txt

CVE-2023-2854: Heap Buffer Overflow blf_read_apptextmessage Function (#19084) · Issues · Wireshark Foundation / wireshark · GitLab

Skip to content

Open Issue created May 12, 2023 by **Huascar Tejeda@htejeda**

**Heap buffer overflow vulnerability in BLF reader**

**Description:**

A heap-buffer overflow vulnerability has been discovered in Wireshark's Binary Logging Format (BLF) file processing. The vulnerability occurs in the blf_pull_logcontainer_into_memory() function in the wiretap/blf.c file. The vulnerability could be exploited by providing a maliciously crafted BLF file, which could lead to arbitrary code execution.

Tested on: Ubuntu 22.04.2 LTS

**Details:**

The overflow is triggered by a call to memcpy (displayed as \_\_asan\_memcpy in the ASAN output), copying 28 bytes into a memory region that is only 15 bytes large. This region was allocated in blf_pull_logcontainer_into_memory using calloc at wiretap/blf.c:499.

After the overflow, the program execution continues until it attempts to allocate memory with malloc in wmem_strdup_printf (as part of error handling), causing a crash with the message malloc(): corrupted top size.

**Steps to reproduce:**

    $ xxd -g1 trigger
    00000000: 4c 4f 47 47 30 00 00 00 30 30 30 30 30 30 30 30  LOGG0...00000000
    00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
    00000020: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
    00000030: 4c 4f 42 4a 10 00 01 00 0f 00 00 00 0a 00 00 00  LOBJ............
    00000040: 02 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30  ..00000000000000
    00000050: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
    00000060: 30 30 30 30 30 30 30 30 30 30 30 30              000000000000
    
    $ tshark -r trigger
    malloc(): corrupted top size
    Aborted

For a more detailed understanding of this vulnerability, I've attached the following files:

*   **Trigger File**: This is the crafted BLF file that provokes the heap buffer overflow when processed by Wireshark.
*   **ASAN Output**: AddressSanitizer's (ASAN) report provides additional insight into the memory corruption.
*   **GDB Backtrace of Tshark**: This backtrace reveals the call sequence leading up to the crash in Wireshark's Tshark utility.
*   **GDB Backtrace of the Fuzzer**

I'd also like to request a CVE ID for this vulnerability.

Please let me know if you need any additional information or assistance in addressing this vulnerability.

Regards,

Huáscar

trigger ASAN.txt GDB\_Backtrace\_tshark.txt GDB\_Backtrace\_fuzzer.txt

CVE-2023-2857: Heap buffer overflow vulnerability in BLF reader (#19063) · Issues · Wireshark Foundation / wireshark · GitLab

A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

Friday, May 26, 2023 15:05

Cisco Talos recently discovered a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller that is caused by a buffer overflow condition.

The iQ-F FX5U is one offering in Mitsubishi’s MELSEC PLC line of hardware that comes with a built-in processor, power supply, Ethernet and 16 I/O points. Users can configure this PLC to host multiple network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface and other Mitsubishi-specific protocols.

A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

This buffer overflow condition could lead to a denial-of-service condition within the RTOS task responsible for parsing the MELSOFT Direct protocol, and potentially give the adversary the ability to execute remote code on the targeted device.

Cisco Talos worked with Mitsubishi to ensure this vulnerability is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Mitsubishi Electric Corp. MELSEC iQ-F FX5U, versions 1.240 and 1.260. Talos tested and confirmed these versions of the controller could be exploited by this vulnerability, however, Mitsubishi also stated in its advisory that versions 1.220 and later are affected.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61432 and 61433. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution

By Deeba Ahmed
A variant of the Mirai botnet is targeting Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability.
This is a post from HackRead.com Read the original post: Mirai Malware Hits Zyxel Devices After Command Injection Bug

Zyxel informed its customers about the security flaw on 25 April 2023 and announced patches for impacted firewalls, which included USG Flex, ATP, ZyWALL/USG, and VPN.

A variant of the Mirai botnet has successfully hacked various Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability (CVE-2023-28771). The bug has affected many Zyxel network devices, and now that the Mirai botnet is controlling it, the problem can worsen as it can lead to launching DDoS attacks.

According to Palo Alto Networks’ Unit 42 researchers, who analyzed the downloaded samples, the Mirai botnet sample hacking Zyxel firewalls is called IZ1H9, which was discovered in August 2018. Researchers dubbed it the most active of all Mirai variants.

The botnet client first inspects the network portion of the compromised device’s IP address and avoids execution for a specific list of IP blocks. This includes government networks, tech firms, and internet providers.

The malware prints “Darknet” onto the console to make its presence felt. It also can ensure the device runs just one instance of the malware. If a botnet process is found on the device, the Mirai botnet client will terminate its current process and start a new process from its list of processes belonging to other variants of the Mirai botnet and other families.

Any product running vulnerable firmware can be exploited even if the user configures the VPN or is in a default state. Mirai operators now own various Zyxel SMB VPN Boxes.

**How Was the Bug Discovered?**

The vulnerability impacting Zyxel devices was discovered by Trapa Security. It occurred due to inappropriate message handling features in some firewalls that could allow an unauthorized actor to remotely execute OS commands by transmitting specially designed packets to the device. The Internet Key Exchange – IKE is the vulnerable component, explained a report from Rapid7.

Zyxel informed its customers about the security flaw on 25 April 2023 and announced patches for impacted firewalls, which included USG Flex, ATP, ZyWALL/USG, and VPN.

**Users Must Immediately Patch Devices**

CVE-2023-28771 was patched in April 2023. However, many users have yet to apply the fix, leading to this mass exploitation of vulnerable devices. Researcher Kevin Beaumont informed about the mass exploitation of this vulnerability by the Mirai botnet variant on Thursday, impacting several SMB appliances.

Security experts have urged Zyxel network services users to patch the flaw immediately. A few days back, Rapid7 had warned about the possibility of the bug being exploited in the wild. They do not claim that 42,000 instances of internet-exposed web interfaces of Zyxel devices have surfaced. But Rapid7 researchers believe the number of compromised devices may be much higher. The Mirai malware targeting Zyxel firewalls is distributed as a Unix and Linux executable in linkable format (.elf).

Zyxel is a Taiwanese networking device manufacturer. The company recently fixed two more flaws impacting its firewalls- CVE-2023-33009 and CVE-2023-33010. Both buffer overflow flaws can let an adversary launch a DoS attack or execute arbitrary code on the device.

**RELATED ARTICLES**

1.  Mirai botnet exploiting Azure OMIGOD vulnerabilities
2.  Mirai botnet resurfaces with MooBot, hits D-Link devices
3.  Attacker builds malware variant with leaked Mirai source code

Mirai Malware Hits Zyxel Devices After Command Injection Bug

Categories: Exploits and vulnerabilities
Categories: News
Zyxel has released a security advisory about two critical vulnerabilities that could allow an unauthorized, remote attacker to take control of its firewall devices.



(Read more...)




The post Zyxel patches two critical vulnerabilities appeared first on Malwarebytes Labs.

Zyxell has released a security advisory for multiple buffer overflow vulnerabilities. Exploitation of these vulnerabilities could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on the affected Zyxell firewalls.

Affected users should patch as a matter of urgency, and we urge you not to expose the management interfaces of network edge devices to the Internet, in order to reduce their attack surface.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-33009: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1.

CVE-2023-33010: Another buffer overflow vulnerability in the ID processing function in the same Zyxel firmware versions.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Both vulnerabilities received a CVSS score of 9.8 out of 10. In case that isn't enough reason for you to act urgently, it is worth remembering that it only took four days for the first active exploitation to take place after Zyxel patched CVE-2022-30525 last year.

The security advisory lists the vulnerable firewall series that are within their vulnerability support period:

*   ATP versions ZLD V4.32 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
*   USG FLEX versions ZLD V4.50 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
*   USG FLEX50(W) / USG20(W)-VPN versions ZLD V4.25 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
*   VPN versions ZLD V4.30 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
*   ZyWALL/USG versions ZLD V4.25 to V4.73 Patch 1 are covered by  ZLD V4.73 Patch 2.

**How to install updates**

Login to your ZLD appliance and go to **Configuration → Licensing → Registration → Service** and click the **Service License Refresh** button.  This must be done before you can access your myZyxel account to download new firmware patches. This will sync necessary info with the myZyxel server (info like running firmware version, MAC Address, S/N, etc.).

Open an internet browser and go to URL: https://portal.myzyxel.com/ and login to your account.

Once in your account dashboard, find the ZLD router you wish to download firmware for and click on the Download button under the "Firmware Update" column.

Once downloaded, there may be up to four ways you can update the firmware, you can update the firmware manually via the Web GUI, you can FTP into the router and upload the firmware, you can utilize the Automatic Cloud Firmware update feature introduced on firmware version 4.25, or upgrade via USB flash drive.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Tag

#buffer_overflow