DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls

Our reference DIVD-2023-00022
Case lead Ralph Horn
Author Stan Plasmeijer
Researcher(s)
CVE(s)
Product Zyxel ZyWALL/USG, Zyxel VPN, Zyxel USG FLEX and Zyxel ATP
Versions
  • ZyWALL/USG ZLD V4.60 to V4.73
  • VPN ZLD V4.60 to V5.35
  • USG FLEX ZLD V4.60 to V5.35
  • ATP ZLD V4.60 to V5.35
Recommendation If you have a vulnerable Zyxel product, update to the latest version.
Status Closed
Last modified 25 Apr 2024 18:52 CEST

Summary

Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

What you can do

If the product is still under support, update to the latest version. For ZyWALL/USG this is version ZLD V4.73 Patch 1 and all other products this is version ZLD V5.36.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Zyxel instances and checking their version and product name. The notificaiton will be sent to the party responsible for the ip address according to the whois database.

Timeline

Date Description
28 Apr 2023 DIVD starts researching fingerprint.
29 Apr 2023 Fingerprint found.
03 May 2023 DIVD starts researching a way to identify Zyxel devices.
10 May 2023 DIVD starts scanning the internet for vulnerable instances.
30 May 2023 DIVD starts notifying customers with a vulnerable instance.
20 Dec 2023 Case closed.
gantt title DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls (236 days) :2023-04-28, 2023-12-20 section Events DIVD starts researching fingerprint. : milestone, 2023-04-28, 0d Fingerprint found. : milestone, 2023-04-29, 0d DIVD starts researching a way to identify Zyxel devices. : milestone, 2023-05-03, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2023-05-10, 0d DIVD starts notifying customers with a vulnerable instance. : milestone, 2023-05-30, 0d Case closed. : milestone, 2023-12-20, 0d

More information