Warning: Multiple Critical, High, and Medium Vulnerabilities In Zyxel Edge Devices Could Be Exploited To Execute OS Commands And Cause Denial Of Service. Patch Immediately!
CVE-2024-7261: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-6343: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-7203: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-42057: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-42058: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-42059: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-42060: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-42061: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE-2024-5412: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources
Risks
On 3 September 2024, Zyxel released 3 security advisories addressing 9 different vulnerabilities affecting various Zyxel edge devices. There are different risks associated with these vulnerabilities. Threat actors could exploit some to execute OS commands and to cause a denial of service condition. CVE-2024-7261 is particularly critical as the attacker does not need to be authenticated, nor to have specific privileges in order to exploit this vulnerability.
The affected products include various makes of firewalls, routers, Wi-Fi extenders, and other device types. Such types of devices are regularly targeted by threat actors in order to gain initial access to a network and infect systems with malware; both for financial gain and cyber espionage.
At this time, Zyxel is not aware of any active exploitation of these vulnerabilities (cut-off date: 3 September 2024).
Exploitation of the most high-ranking vulnerabilities mentioned below can have a high impact on confidentiality, integrity, and availability.
Description
Zyxel released advisories for 9 different vulnerabilities.
The most critical vulnerability – CVE-2024-7261 – is an operating system (OS) command injection vulnerability. There is an improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions which could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
In addition, Zyxel published patches for 8 other vulnerabilities:
CVE-2024-2024-6343 is a buffer overflow vulnerability in the CGI program of some firewall versions.
Successful exploitation could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.
CVE-2024-7203 is a post-authentication command injection vulnerability.
An authenticated attacker with administrator privileges could exploit this vulnerability to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.
CVE-2024-42057 is a command injection vulnerability in the IPSec VPN feature of some firewall versions.
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device.
Please note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.
CVE-2024-42058 is a null pointer dereference vulnerability.
An unauthenticated attacker could exploit it to cause DoS conditions by sending crafted packets to a vulnerable device.
CVE-2024-42059 is a post-authentication command injection vulnerability.
Successful exploitation could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.
CVE-2024-42060 is a post-authentication command injection vulnerability.
An authenticated attacker with administrator privileges could exploit it to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.
CVE-2024-42061 is a reflected cross-site scripting (XSS) vulnerability in the CGI program “dynamic_script.cgi” of some firewall versions.
Successful exploitation could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.
CVE-2024-5412 is a buffer overflow vulnerability in the library "libclinkc" of some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices.
An unauthenticated attacker could exploit it to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices, after thorough testing.
Zyxel reports these vulnerabilities are addressed in patches:
- For CVE-2024-7261, you can find the affected models, versions and patches at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024.
- For CVE-2024-6343, CVE-2024-7203, CVE-2024-42057, CVE-42058, CVE-2024-42059, CVE-2024-42060, CVE-2024-42061, you can find the affected models, versions and patches at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024
- For CVE-2024-5412, you can find the affected models, versions and patches at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerability-in-some-5g-nr-cpe-dsl-ethernet-cpe-fiber-ont-wifi-extender-and-security-router-devices-09-03-2024
Please note that some patches are updated by cloud. They are clearly indicated by Zyxel with an asterisk next to the version number in the various advisories.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.