Get in Touch
Indiscriminate, opportunistic targeting.
Zyxel has disclosed details pertaining to the active exploitation and severity levels of vulnerabilities related to their firewall and VPN devices. The security flaws are as follows:
– CVE-2023-28771 (CVSS v3 Severity Score – 9.8): Improper error message handling vulnerability in Zyxel ZyWALL/USG series firmware
– CVE-2023-33009 (CNA: Zyxel Corporation Score – 9.8): A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware
– CVE-2023-33010 (CNA: Zyxel Corporation Score – 9.8): A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware
– Successful exploitation of CVE-2023-28771 could allow an unauthenticated threat actor to execute OS commands remotely by sending crafted packets to an affected device.
– Successful exploitation of CVE-2023-33009 or CVE-2023-33010 could allow an unauthenticated threat actor to implement denial-of-service (DoS) conditions and remote code execution on an affected device.
– Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73
– VPN series firmware versions 4.60 through 5.35
– USG FLEX series firmware versions 4.60 through 5.35
– ATP series firmware versions 4.60 through 5.35
CVE-2023-33009 and CVE-2023-33010:
– Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1
– USG FLEX series firmware versions 4.50 through 5.36 Patch 1
– USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1
– USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1
– VPN series firmware versions 4.30 through 5.36 Patch 1
– ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1
Containment, Mitigations & Remediations
It is strongly recommended that users apply the relevant security updates for the affected products as soon as possible. These are as follows:
– ZLD V5.36 Patch 2 for ATP – ZLD, USG FLEX and VPN- ZLD
– ZLD V4.73 Patch 2 for ZyWALL.
If, for whatever reason, it is not possible to apply these updates immediately, Zyxel has listed the following temporary mitigation solutions:
– Disable HTTP/HTTPS services from the Wide Area Network (WAN), unless this is absolutely essential to manage devices
If devices do need to be managed from the WAN:
– Enable ‘Policy Control’ and add rules allowing only trusted IP addresses to access the devices.
– Enable GeoIP filtering to limit access to users/systems based on trusted locations.
– If the IPSec VPN function is not required, disable UDP Port 500 and Port 4500
Indicators of Compromise
The Zyxel advisory states that there are signs of active exploitation within target devices. These include:
– Unresponsive devices
– Network interruptions
– Inability to access the Web GUI of a device or the SSH management interface
– Disconnection of VPN connections
Zyxel occupies a significant proportion of the telephony technology market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Zyxel products could emerge as a prime target for threat actors. Due to the fact that Zyxel products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive information contained therein.
CVE-2023-28771 has been detected to have been actively exploited by variants of botnet malware. As such, it is likely that such exploitation attempts will continue to increase in frequency moving forward, meaning that following the recommended patching and mitigation strategies is vital.
No attribution to specific threat actors or groups has been identified at the time of writing.
Common Weakness Enumeration (CWE):
– CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
– CWE-120 – Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)