Zyxel has launched safety updates to deal with a vital vulnerability impacting a couple of fashions of its industry routers, probably permitting unauthenticated attackers to accomplish OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 ranking of 9.8 (“vital”), is an enter validation fault led to by means of mistaken dealing with of user-supplied knowledge, permitting far off attackers to execute arbitrary instructions at the host working machine.
“The mistaken neutralization of particular components within the parameter “host” within the CGI program of a few AP and safety router variations may just permit an unauthenticated attacker to execute OS instructions by means of sending a crafted cookie to a prone instrument,” – warns Zyxel.
The Zyxel get right of entry to issues (APs) impacted by means of CVE-2024-7261 are the next:
- NWA Sequence: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all variations as much as 7.00 are prone, improve to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all variations as much as 6.28 are prone, improve to six.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all variations as much as 6.70 are prone, improve to six.70(ABVT.5) and later
- WAC Sequence: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all variations as much as 6.28 are prone, improve to six.28(AAXH.3) and later
- WAX Sequence: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all variations as much as 7.00 are prone, improve to 7.00(ACHF.2) and later
- WBE Sequence: WBE530, WBE660S | all variations as much as 7.00 are prone, improve to 7.00(ACLE.2) and later
Zyxel says that safety router USG LITE 60AX working V2.00(ACIP.2) may be impacted, however this type is robotically up to date by means of cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
Extra Zyxel fixes
Zyxel has additionally issued safety updates for a couple of high-severity flaws in APT and USG FLEX firewalls. A abstract may also be discovered beneath:
- CVE-2024-6343: Buffer overflow within the CGI program may just result in DoS by means of an authenticated admin sending a crafted HTTP request.
- CVE-2024-7203: Submit-authentication command injection lets in an authenticated admin to execute OS instructions by the use of a crafted CLI command.
- CVE-2024-42057: Command injection in IPSec VPN lets in an unauthenticated attacker to execute OS instructions with a crafted lengthy username in Consumer-Based totally-PSK mode.
- CVE-2024-42058: Null pointer dereference may just reason DoS by the use of crafted packets despatched by means of an unauthenticated attacker.
- CVE-2024-42059: Submit-authentication command injection lets in an authenticated admin to execute OS instructions by means of importing a crafted compressed language report by the use of FTP.
- CVE-2024-42060: Submit-authentication command injection lets in an authenticated admin to execute OS instructions by means of importing a crafted interior person settlement report.
- CVE-2024-42061: Mirrored XSS in “dynamic_script.cgi” may just permit an attacker to trick a person into visiting a crafted URL, probably leaking browser-based data.
Essentially the most attention-grabbing of the above is CVE-2024-42057 (CVSS v3: 8.1, “excessive”), which is a command injection vulnerability within the IPSec VPN characteristic that may be remotely exploited with out authentication.
Its severity is lessened by means of the particular configuration necessities required for exploitation, together with configuring the instrument in Consumer-Based totally-PSK authentication mode and having a person with a username this is over 28 characters lengthy.
For extra main points at the impacted firewalls, take a look at Zyxel’s advisory right here.