Zyxel has launched software program updates to handle two crucial safety flaws affecting some firewall and VPN merchandise. These flaws will be exploited by a distant attacker to execute code.
Each CVE-2023-33009 and CVE-2023-33010 flaws are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system.
A quick description of the 2 points follows.
- CVE-2023-33009 – A buffer overflow vulnerability within the notification operate may enable an unauthenticated attacker to trigger a denial of service (DoS) situation and distant code execution.
- CVE-2023-33010 – A buffer overflow vulnerability within the id processing performance may enable an unauthenticated attacker to trigger a denial of service (DoS) situation leading to distant code execution.
The next units are affected –
- ATP (variations ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
- USG FLEX (variations ZLD V4.50 – V5.36 Patch 1, patched with ZLD V5.36 Patch 2)
- USG FLEX50(W) / USG20(W)-VPN (model ZLD V4.25 to V5.36 Patch 1, patched with ZLD V5.36 Patch 2)
- VPN (variations ZLD V4.30 by V5.36 Patch 1, patched with ZLD V5.36 Patch 2), and
- ZyWALL/USG (variations ZLD V4.25 – V4.73 Patch 1, patched with ZLD V4.73 Patch 2)
Safety researchers at TRAPA Safety and STAR Labs SG are credited with discovering and reporting this flaw.
This advisory comes lower than a month after Zyxel shipped a repair for one more crucial safety flaw of their firewall units. This flaw could possibly be exploited for distant code execution on the affected system.
This difficulty is tracked as CVE-2023-28771 (CVSS rating: 9.8) and can also be blamed on TRAPA Safety, which the community tools producer claims is because of improper error message dealing with. Since then, it has been actively exploited by risk actors related to the Mirai botnet.
(Tag Translation) Community Safety