Zyxel security advisory for DoS vulnerability of switches
CVEs: CVE-2022-43393
Summary
Zyxel has released patches for some switches affected by a denial-of-service (DoS) vulnerability. Customers are advised to install them for optimal protection.
What is the vulnerability?
An improper check for unusual or exceptional conditions in the HTTP request processing function of some Zyxel switch versions could allow an attacker to corrupt the contents of the memory and result in a DoS condition on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.
Since switches are mostly deployed in a local area network (LAN) environment, most potential DoS attacks can be reduced by firewalls or security gateways. Furthermore, for optimal protection, we suggest that customers set more stringent management rules for remote access to their switches, such as by restricting HTTP or HTTPS requests to remotely access the device management interface or by limiting remote access by specific IP addresses.
| Affected models | Affected version | Patch availability* |
|---|---|---|
| MGS3500-24S | 4.10(ABBR.1)C0 | 4.10(ABBR.2)C0* |
| MGS3520-28 | 4.10(AATN.4)C0 | 4.10(AATN.5)C0* |
| MGS3520-28 | 4.10(ABQM.1)C0 | 4.10(ABQM.2)C0* |
| MGS3520-28F | 4.10(AATM.3)C0 | 4.10(AATM.4)C0* |
| MGS3530-28 | 4.10(ACEM.1)C0 | 4.10(ACEM.2)C0* |
| MGS3530-28 | 4.10(ACFJ.0)C0 | 4.10(ACFJ.1)C0* |
Got a question?
If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
Acknowledgment
Thanks to Nikita Abramov from Positive Technologies for reporting the issue to us.
Revision history
2023-1-11: Initial release