Zyxel has launched safety updates to handle a crucial vulnerability impacting a number of fashions of its enterprise routers, doubtlessly permitting unauthenticated attackers to carry out OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 rating of 9.8 (“crucial”), is an enter validation fault brought on by improper dealing with of user-supplied knowledge, permitting distant attackers to execute arbitrary instructions on the host working system.
“The improper neutralization of particular parts within the parameter “host” within the CGI program of some AP and safety router variations might enable an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a susceptible system,” – warns Zyxel.
The Zyxel entry factors (APs) impacted by CVE-2024-7261 are the next:
- NWA Collection: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all variations as much as 7.00 are susceptible, improve to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all variations as much as 6.28 are susceptible, improve to six.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all variations as much as 6.70 are susceptible, improve to six.70(ABVT.5) and later
- WAC Collection: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all variations as much as 6.28 are susceptible, improve to six.28(AAXH.3) and later
- WAX Collection: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all variations as much as 7.00 are susceptible, improve to 7.00(ACHF.2) and later
- WBE Collection: WBE530, WBE660S | all variations as much as 7.00 are susceptible, improve to 7.00(ACLE.2) and later
Zyxel says that safety router USG LITE 60AX working V2.00(ACIP.2) can be impacted, however this mannequin is robotically up to date by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
Extra Zyxel fixes
Zyxel has additionally issued safety updates for a number of high-severity flaws in APT and USG FLEX firewalls. A abstract may be discovered under:
- CVE-2024-6343: Buffer overflow within the CGI program might result in DoS by an authenticated admin sending a crafted HTTP request.
- CVE-2024-7203: Put up-authentication command injection permits an authenticated admin to execute OS instructions through a crafted CLI command.
- CVE-2024-42057: Command injection in IPSec VPN permits an unauthenticated attacker to execute OS instructions with a crafted lengthy username in Consumer-Based mostly-PSK mode.
- CVE-2024-42058: Null pointer dereference might trigger DoS through crafted packets despatched by an unauthenticated attacker.
- CVE-2024-42059: Put up-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted compressed language file through FTP.
- CVE-2024-42060: Put up-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted inner consumer settlement file.
- CVE-2024-42061: Mirrored XSS in “dynamic_script.cgi” might enable an attacker to trick a consumer into visiting a crafted URL, doubtlessly leaking browser-based data.
Essentially the most attention-grabbing of the above is CVE-2024-42057 (CVSS v3: 8.1, “excessive”), which is a command injection vulnerability within the IPSec VPN characteristic that may be remotely exploited with out authentication.
Its severity is lessened by the particular configuration necessities required for exploitation, together with configuring the system in Consumer-Based mostly-PSK authentication mode and having a consumer with a username that’s over 28 characters lengthy.
For extra particulars on the impacted firewalls, take a look at Zyxel’s advisory right here.