SB2023112820 - Multiple vulnerabilities in Zyxel firewalls and APs

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2023-35136)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to improper input validation in the "Quagga" package. A local user can gain unauthorized access to configuration files on the target device.

2) Stored cross-site scripting (CVE-ID: CVE-2023-35139)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the CGI program. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Improper Privilege Management (CVE-ID: CVE-2023-37925)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper privilege management in the debug CLI command. A local user can access system files on the target device.

4) Buffer overflow (CVE-ID: CVE-2023-37926)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A local user can trigger memory corruption and cause a denial of service condition on the target system.

5) Buffer overflow (CVE-ID: CVE-2023-4397)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A local administrator can trigger memory corruption and cause a denial of service condition on the target system.

6) Integer overflow (CVE-ID: CVE-2023-4398)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in the source code of the QuickSec IPSec toolkit used in the VPN feature. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.

7) Improper Privilege Management (CVE-ID: CVE-2023-5650)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management in the ZySH. A local user can modify the URL of the registration page in the web GUI of the target device.

8) Improper Privilege Management (CVE-ID: CVE-2023-5797)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper privilege management in the debug CLI command. A local user can access the administrator’s logs on the target device.

9) Improper Privilege Management (CVE-ID: CVE-2023-5960)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper privilege management in the hotspot feature. A local user can access the system files on the target device.

Remediation

Install update from vendor's website.

References

• https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps