Zyxel has launched safety updates to handle a vital vulnerability impacting a number of fashions of its enterprise routers, doubtlessly permitting unauthenticated attackers to carry out OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 rating of 9.8 (“vital”), is an enter validation fault brought on by improper dealing with of user-supplied knowledge, permitting distant attackers to execute arbitrary instructions on the host working system.
“The improper neutralization of particular components within the parameter “host” within the CGI program of some AP and safety router variations may permit an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a weak system,” – warns Zyxel.
The Zyxel entry factors (APs) impacted by CVE-2024-7261 are the next:
- NWA Collection: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all variations as much as 7.00 are weak, improve to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all variations as much as 6.28 are weak, improve to six.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all variations as much as 6.70 are weak, improve to six.70(ABVT.5) and later
- WAC Collection: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all variations as much as 6.28 are weak, improve to six.28(AAXH.3) and later
- WAX Collection: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all variations as much as 7.00 are weak, improve to 7.00(ACHF.2) and later
- WBE Collection: WBE530, WBE660S | all variations as much as 7.00 are weak, improve to 7.00(ACLE.2) and later
Zyxel says that safety router USG LITE 60AX operating V2.00(ACIP.2) can be impacted, however this mannequin is mechanically up to date by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
Extra Zyxel fixes
Zyxel has additionally issued safety updates for a number of high-severity flaws in APT and USG FLEX firewalls. A abstract may be discovered beneath:
- CVE-2024-6343: Buffer overflow within the CGI program may result in DoS by an authenticated admin sending a crafted HTTP request.
- CVE-2024-7203: Publish-authentication command injection permits an authenticated admin to execute OS instructions through a crafted CLI command.
- CVE-2024-42057: Command injection in IPSec VPN permits an unauthenticated attacker to execute OS instructions with a crafted lengthy username in Person-Based mostly-PSK mode.
- CVE-2024-42058: Null pointer dereference may trigger DoS through crafted packets despatched by an unauthenticated attacker.
- CVE-2024-42059: Publish-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted compressed language file through FTP.
- CVE-2024-42060: Publish-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted inner consumer settlement file.
- CVE-2024-42061: Mirrored XSS in “dynamic_script.cgi” may permit an attacker to trick a consumer into visiting a crafted URL, doubtlessly leaking browser-based info.
Probably the most fascinating of the above is CVE-2024-42057 (CVSS v3: 8.1, “excessive”), which is a command injection vulnerability within the IPSec VPN function that may be remotely exploited with out authentication.
Its severity is lessened by the particular configuration necessities required for exploitation, together with configuring the system in Person-Based mostly-PSK authentication mode and having a consumer with a username that’s over 28 characters lengthy.
For extra particulars on the impacted firewalls, take a look at Zyxel’s advisory right here.