Zyxel has launched safety updates to handle a vital vulnerability impacting a number of fashions of its enterprise routers, doubtlessly permitting unauthenticated attackers to carry out OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 rating of 9.8 (“critical”), is an enter validation fault attributable to improper dealing with of user-supplied information, permitting distant attackers to execute arbitrary instructions on the host working system.
“The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” – warns Zyxel.
The Zyxel entry factors (APs) impacted by CVE-2024-7261 are the next:
- NWA Collection: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all variations as much as 7.00 are susceptible, improve to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all variations as much as 6.28 are susceptible, improve to six.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all variations as much as 6.70 are susceptible, improve to six.70(ABVT.5) Â and later
- WAC Collection: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all variations as much as 6.28 are susceptible, improve to six.28(AAXH.3) and later
- WAX Collection: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all variations as much as 7.00 are susceptible, improve to 7.00(ACHF.2) and later
- WBE Collection: WBE530, WBE660S | all variations as much as 7.00 are susceptible, improve to 7.00(ACLE.2) and later
Zyxel says that safety router USG LITE 60AX working V2.00(ACIP.2) can also be impacted, however this mannequin is robotically up to date by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
Extra Zyxel fixes
Zyxel has additionally issued safety updates for a number of high-severity flaws in APT and USG FLEX firewalls. A abstract will be discovered under:
- CVE-2024-6343: Buffer overflow within the CGI program may result in DoS by an authenticated admin sending a crafted HTTP request.
- CVE-2024-7203: Publish-authentication command injection permits an authenticated admin to execute OS instructions by way of a crafted CLI command.
- CVE-2024-42057: Command injection in IPSec VPN permits an unauthenticated attacker to execute OS instructions with a crafted lengthy username in Consumer-Primarily based-PSK mode.
- CVE-2024-42058: Null pointer dereference may trigger DoS by way of crafted packets despatched by an unauthenticated attacker.
- CVE-2024-42059: Publish-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted compressed language file by way of FTP.
- CVE-2024-42060: Publish-authentication command injection permits an authenticated admin to execute OS instructions by importing a crafted inner consumer settlement file.
- CVE-2024-42061: Mirrored XSS in “dynamic_script.cgi” may permit an attacker to trick a consumer into visiting a crafted URL, doubtlessly leaking browser-based info.
Essentially the most fascinating of the above is CVE-2024-42057 (CVSS v3: 8.1, “high”), which is a command injection vulnerability within the IPSec VPN characteristic that may be remotely exploited with out authentication.
Its severity is lessened by the precise configuration necessities required for exploitation, together with configuring the system in Consumer-Primarily based-PSK authentication mode and having a consumer with a username that’s over 28 characters lengthy.
For extra particulars on the impacted firewalls, take a look at Zyxel’s advisory right here.
