Zyxel has launched safety updates to deal with a vital vulnerability impacting a number of fashions of its enterprise routers, probably permitting unauthenticated attackers to carry out OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 rating of 9.8 (“vital”), is an enter validation fault attributable to improper dealing with of user-supplied knowledge, permitting distant attackers to execute arbitrary instructions on the host working system.
“The improper neutralization of particular components within the parameter “host” within the CGI program of some AP and safety router variations might permit an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a weak system,” – warns Zyxel.
The Zyxel entry factors (APs) impacted by CVE-2024-7261 are the next:
- NWA Sequence: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all variations as much as 7.00 are weak, improve to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all variations as much as 6.28 are weak, improve to six.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all variations as much as 6.70 are weak, improve to six.70(ABVT.5) and later
- WAC Sequence: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all variations as much as 6.28 are weak, improve to six.28(AAXH.3) and later
- WAX Sequence: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all variations as much as 7.00 are weak, improve to 7.00(ACHF.2) and later
- WBE Sequence: WBE530, WBE660S | all variations as much as 7.00 are weak, improve to 7.00(ACLE.2) and later
Zyxel says that safety router USG LITE 60AX working V2.00(ACIP.2) can also be impacted, however this mannequin is robotically up to date by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
Extra Zyxel fixes
Zyxel has additionally issued safety updates for a number of high-severity flaws in APT and USG FLEX firewalls. A abstract may be discovered under:
- CVE-2024-6343: Buffer overflow within the CGI program might result in DoS by an authenticated admin sending a crafted HTTP request.
- CVE-2024-7203: Submit-authentication command injection permits an authenticated admin to execute OS instructions through a crafted CLI command.
- CVE-2024-42057: Command injection in IPSec VPN permits an unauthenticated attacker to execute OS instructions with a crafted lengthy username in Person-Primarily based-PSK mode.
- CVE-2024-42058: Null pointer dereference might trigger DoS through crafted packets despatched by an unauthenticated attacker.
- CVE-2024-42059: Submit-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted compressed language file through FTP.
- CVE-2024-42060: Submit-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted inside consumer settlement file.
- CVE-2024-42061: Mirrored XSS in “dynamic_script.cgi” might permit an attacker to trick a consumer into visiting a crafted URL, probably leaking browser-based info.
Probably the most fascinating of the above is CVE-2024-42057 (CVSS v3: 8.1, “excessive”), which is a command injection vulnerability within the IPSec VPN characteristic that may be remotely exploited with out authentication.
Its severity is lessened by the particular configuration necessities required for exploitation, together with configuring the system in Person-Primarily based-PSK authentication mode and having a consumer with a username that’s over 28 characters lengthy.
For extra particulars on the impacted firewalls, try Zyxel’s advisory right here.