Zyxel has launched security updates to handle a important vulnerability impacting a number of fashions of its enterprise routers, doubtlessly permitting unauthenticated attackers to carry out OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 rating of 9.8 (“important”), is an enter validation fault attributable to improper dealing with of user-supplied information, permitting distant attackers to execute arbitrary instructions on the host working system.
“The improper neutralization of particular parts within the parameter “host” within the CGI program of some AP and security router variations might enable an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a susceptible gadget,” – warns Zyxel.
The Zyxel entry factors (APs) impacted by CVE-2024-7261 are the next:
- NWA Collection: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all variations as much as 7.00 are susceptible, improve to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all variations as much as 6.28 are susceptible, improve to six.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all variations as much as 6.70 are susceptible, improve to six.70(ABVT.5) and later
- WAC Collection: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all variations as much as 6.28 are susceptible, improve to six.28(AAXH.3) and later
- WAX Collection: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all variations as much as 7.00 are susceptible, improve to 7.00(ACHF.2) and later
- WBE Collection: WBE530, WBE660S | all variations as much as 7.00 are susceptible, improve to 7.00(ACLE.2) and later
Zyxel says that security router USG LITE 60AX working V2.00(ACIP.2) can be impacted, however this mannequin is mechanically up to date by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
Extra Zyxel fixes
Zyxel has additionally issued security updates for a number of high-severity flaws in APT and USG FLEX firewalls. A abstract may be discovered beneath:
- CVE-2024-6343: Buffer overflow within the CGI program might result in DoS by an authenticated admin sending a crafted HTTP request.
- CVE-2024-7203: Put up-authentication command injection permits an authenticated admin to execute OS instructions through a crafted CLI command.
- CVE-2024-42057: Command injection in IPSec VPN permits an unauthenticated attacker to execute OS instructions with a crafted lengthy username in Consumer-Primarily based-PSK mode.
- CVE-2024-42058: Null pointer dereference might trigger DoS through crafted packets despatched by an unauthenticated attacker.
- CVE-2024-42059: Put up-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted compressed language file through FTP.
- CVE-2024-42060: Put up-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted inside consumer settlement file.
- CVE-2024-42061: Mirrored XSS in “dynamic_script.cgi” might enable an attacker to trick a consumer into visiting a crafted URL, doubtlessly leaking browser-based data.
Essentially the most fascinating of the above is CVE-2024-42057 (CVSS v3: 8.1, “excessive”), which is a command injection vulnerability within the IPSec VPN function that may be remotely exploited with out authentication.
Its severity is lessened by the particular configuration necessities required for exploitation, together with configuring the gadget in Consumer-Primarily based-PSK authentication mode and having a consumer with a username that’s over 28 characters lengthy.
For extra particulars on the impacted firewalls, take a look at Zyxel’s advisory right here.
